9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #208
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure environment. You need to create a new Azure virtual machine from a tablet that runs the Android operating system.
Solution: You use the Azure portal.
Does this meet the goal?
A. Yes
B. No
Correct Answer: A
The Azure portal is a web-based, unified console that provides an alternative to command-line tools. With the Azure portal, you can manage
your Azure subscription using a graphical user interface. You can build, manage, and monitor everything from simple web apps to complex
cloud deployments. Create custom dashboards for an organized view of resources. Configure accessibility options for an optimal experience.
Being web-based, the Azure portal can be run on a browser from a tablet that runs the Android operating system.
References:
https://docs.microsoft.com/en-us/azure/azure-portal/azure-portal-overview
Kavitw Highly Voted 1 year,4 months ago
corrct for portal
upvoted 9 times
slayerdrum Most Recent 3 weeks, 6 days ago
Selected Answer: A
You can do almost everything in the portal.
upvoted 1 times
Lazylinux 1 month,1 weekago
Selected Answer: A
Yes u can
upvoted 1 times
JC_de_Sevilla 2 months, 1 week ago
Selected Answer: R
The A option
upvoted 1 times
Pa1theAchiever 2 months, 2 weeks ago
option A
upvoted 1 times
cuentaalternajsr 3 months, 1 week ago
Si, es correcto.
upvoted 1 times
cormorant 6 months, 1 week ago
easier than running PS from azure cloud shell from an adroid tablet, that's for sure
upvoted 3 times
Tara24 6 months, 1 week ago
the answer is Yes
upvoted 1 times
sudheerdhawangis 1 year, 2 months ago
powerapp:website so anwer N
azure portal:vm so answer Y
upvoted 1 times
panal 1 year, 6 months ago
Answer is Correct.
upvoted 4 times
Ashwin21 1 year, 7 monthsago
not able to see any discussions
upvoted 1 times
Massy 1 year, 7 monthsago
it's a recently added question, so yours is the first comment. In addiction, the answer is really easy so I think there's nothing to
discuss...
upvoted 8 times
hf443 1 year, 7 months ago
indeed. It's like most of the discussions were erased.
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 361/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #209
HOTSPOT -
Select the answer that correctly completes the sentence.
Hot Area:
Correct Answer:
Microsoft 365 compliance is now called Microsoft Purview and the solutions within the compliance area have been rebranded.
When you first visit the compliance portal, the card section on the home page shows you at a glance how your organization is doing with data
compliance, what solutions are available for your organization, and a summary of any active alerts.
From here, you can:
* Review the Microsoft Purview Compliance Manager card, which leads you to the Compliance Manager solution. Compliance Manager helps
simplify the way you manage compliance.
* Review the new Solution catalog card, which links to collections of integrated solutions you can use to help you manage end-to-end
compliance scenarios. A solution's capabilities and tools might include a combination of policies, alerts, reports, and more.
* Review the Active alerts card, which includes a summary of the most active alerts and includes a link where you can view more detailed
information, such as
Severity, Status, Category, and more.
Reference:
https://docs.microsoft.com/en-us/microsoft-365/compliance/microsoft-365-compliance-center
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 362/598
Flubu 1 week, 1 day ago
Microsoft Trust Center
upvoted 1 times
yz0067 1 week, 1 day ago
Microsoft Trust Center indeed
upvoted 1 times
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #210
HOTSPOT -
Select the answer that correctly completes the sentence.
Hot Area:
Correct Answer:
Azure Arc simplifies governance and management by delivering a consistent multi-cloud and on-premises management platform.
Azure Arc provides a centralized, unified way to:
Manage your entire environment together by projecting your existing non-Azure and/or on-premises resources into Azure Resource Manager.
Manage virtual machines, Kubernetes clusters, and databases as if they are running in Azure.
Etc.
Incorrect:
* Why use Azure AD Connect?
Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both
cloud and on- premises resources. Users and organizations can take advantage of:
Users can use a single identity to access on-premises applications and cloud services such as Microsoft 365.
Single tool to provide an easy deployment experience for synchronization and sign-in.
Provides the newest capabilities for your scenarios. Azure AD Connect replaces older versions of identity integration tools such as DirSync and
Azure AD Sync.
*VPN Gateway sends encrypted traffic between an Azure virtual network and an on-premises location over the public Internet. You can also use
VPN Gateway to send encrypted traffic between Azure virtual networks over the Microsoft network. A VPN gateway is a specific type of virtual
network gateway.
* Pipeline agent is machine where your build is performed. An agent is installable software that runs one job at a time. Agent job is aset of
steps which is recognized as execution boundary. Each job runs on an agent. All of the steps run together on the same agent.
Reference:
https://docs.microsoft.com/en-us/azure/azure-arc/overview
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 363/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #211
HOTSPOT -
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: No -
Easily manage your Azure storage accounts in the cloud, from Windows, macOS, or Linux, using Azure Storage Explorer.
Box 2: Yes -
Azure cloud services can be managed in Azure Automation by using the PowerShell cmdlets that are available in the Azure PowerShell tools.
Box 3: Yes -
Reference:
https://azure.microsoft.com/en-us/features/storage-explorer/
https://docs.microsoft.com/en-us/azure/cloud-services/automation-manage-cloud-services
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 364/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #212
HOTSPOT -
To complete the sentence, select the appropriate option in the answer area.
Hot Area:
Correct Answer:
Azure Databricks is an Apache Spark-based analytics platform. The platform consists of several components including 'MLib'. Mlib is a
Machine Learning library consisting of common learning algorithms and utilities, including classification, regression, clustering, collaborative
filtering, dimensionality reduction, as well as underlying optimization primitives.
Reference:
https://docs.microsoft.com/en-us/azure/azure-databricks/what-is-azure-databricks#apache-spark-based-analytics-platform
kelvintoys93 Highly Voted 1 year ago
Answer is correct. Azure Databricks is known for designing AI with Apache Spark™-based analytics. https://azure.microsoft.com/en-
us/services/databricks/
upvoted 11 times
AidenYoukhana Most Recent 8 months, 2 weeks ago
Azure Databricks is the correct answer!
upvoted 1 times
Rawatvs 9 months ago
Got it on 17-12-21
upvoted 1 times
abelk 9 months, 1 week ago
Correct
upvoted 1 times
Mouhammad1 9 months, 2 weeks ago
Apach spark datbricks
upvoted 1 times
teespice 10 months, 2 weeks ago
Correct
upvoted 1 times
alejobaena 11 months ago
Preguntado 16 Oct 2021
upvoted 4 times
Denisesys 11 months, 2 weeks ago
Got it on 3-09-2021
upvoted 2 times
diogoweb 1 year ago
Got it on 06-09-2021
upvoted 3 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 365/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #213
HOTSPOT -
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: Yes -
Azure Monitor maximizes the availability and performance of your applications and services by delivering a comprehensive solution for
collecting, analyzing, and acting on telemetry from your cloud and on-premises environments.
Box 2: Yes -
Alerts in Azure Monitor proactively notify you of critical conditions and potentially attempt to take corrective action.
Box 3: Yes -
Azure Monitor uses Target Resource, which is the scope and signals available for alerting. A target can be any Azure resource. Example targets:
a virtual machine, a storage account, a virtual machine scale set, a Log Analytics workspace, or an Application Insights resource.
References:
https://docs.microsoft.com/en-us/azure/azure-monitor/overview https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-
overview
Salilgen Highly Voted 1 year, 7 months ago
I think first answer is YES: https://docs.microsoft.com/en-us/azure/azure-monitor/overview
I think second answer is NO. Azure Monitor cannot send alerts (email) to Azure AD security group but only to Azure AD user:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/action-groups.
I think last answer is YES: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-overview
upvoted 70 times
peymani 8 months, 3 weeks ago
An action group is a collection of notification preferences defined by the owner of an Azure subscription. Azure Monitor, Service Health
and Azure Advisor alerts use action groups to notify users that an alert has been triggered.--> "alerts use ACTION GROUPS" so, action
groups at this question is security group which included bunch of user who are in charge of security. So, correct answer is YES.
https://docs.microsoft.com/en-us/azure/azure-monitor/alerts/action-groups
upvoted 6 times
ChXed 1 year, 7 months ago
Correct: Second will be no as it is clearly mention that emails will not be send to Azure AD security group. Thanks for pointing it out.
upvoted 6 times
Pinscher 1 year, 7 months ago
Are you referring to this paragraph roughly at the middle of the page
Email Azure Resource Manager Role
Send email to the members of the subscription's role. Email will only be sent to Azure AD user members of the role. Email will not be
sent to Azure AD groups or service principals.
upvoted 6 times
panal 1 year, 6 months ago
I Agree
upvoted 2 times
panal Highly Voted 1 year, 6 months ago
Answer is Y-N-Y
- https://docs.microsoft.com/en-us/azure/azure-monitor/overview
- https://docs.microsoft.com/en-us/azure/azure-monitor/platform/action-groups
- https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-overview
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 366/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
upvoted 16 times
Pa1theAchiever Most Recent 2 months,2 weeks ago
Yes Yes Yes
upvoted 5 times
cormorant 6 months, 1 week ago
in addition to monitoring your on-prems, Azure Mon can both send and trigger alerts
upvoted 1 times
Meyti 6 months, 1 week ago
Y,N,Y
Send email to the members of the subscription's role. Email will only be sent to Azure AD user members of the role. Email won't be sent to
Azure AD groups or service principals.
A notification email is sent only to the primary email address.
Source1:
https://docs.microsoft.com/en-us/azure/azure-monitor/alerts/action-groups#email-azure-resource-manager-role
Source2:
https://docs.microsoft.com/en-us/learn/azure-fundamentals/monitoring-fundamentals/media/2-identify-product-options-01.png
Source3:
https://docs.microsoft.com/en-us/learn/modules/monitoring-fundamentals/2-identify-product-options
upvoted 1 times
rrcool 6 months, 2 weeks ago
Was on exam 26/02/2022
upvoted 2 times
MS_Learner 7 months, 1 week ago
Got Feb 10, 2022
upvoted 3 times
ZEEb 7 months, 1 weekago
YYY.
I wrote my exam a few minutes ago and I passed!
I highly recommended exam topics🤌
upvoted 7 times
yunyunqian 7 months, 3 weeks ago
is sending alerts equals to sending emails?
upvoted 2 times
JOJO2050 8 months, 1 week ago
ANS : Y-Y -Y
https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups
Like distribution groups, security groups can be used as an email entity. Sending an email message to the group sends the message to all
the members of the group.
upvoted 3 times
JasBonker1 8 months, 3 weeks ago
Second Answer is Yes:
Like distribution groups, security groups can be used as an email entity. Sending an email message to the group sends the message to all
the members of the group.
https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups
upvoted 7 times
AZ_Guru_Wannabe 8 months, 3 weeks ago
Iagree - that's pretty clear explanation you linked. Thanks!
Y, Y, Y answers
upvoted 1 times
RichC 9 months, 3 weeks ago
appear 26 Nov
upvoted 2 times
himanshu_90677 9 months, 3 weeks ago
second answer: Alerts proactively notify you when issues are found with your infrastructure or application using your monitoring data in
Azure Monitor. They allow you to identify and address issues before the users of your system notice them.
upvoted 1 times
Azuni 9 months, 3 weeks ago
Igot this question in the exam 22/11/2021 (FYI, the second answer is Yes)
upvoted 5 times
Johagmg 10 months ago
So what is the correct answer?
upvoted 2 times
easygo68 10 months, 1 weekago
Be asked in the 11.11.2021 exam!
upvoted 2 times
Vincenzo_Cassano 10 months, 4 weeks ago
on exam OCT 22, 2021
upvoted 4 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 367/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #214
Which Azure service provides a set of version control tools to manage code?
A. Azure Repos
B. Azure DevTest Labs
C. Azure Storage
D. Azure Cosmos DB
Correct Answer: A
Azure Repos is a set of version control tools that you can use to manage your code.
Incorrect Answers:
B: Azure DevTest Labs creates labs consisting of pre-configured bases or Azure Resource Manager templates. These have all the necessary
tools and software that you can use to create environments.
D: Azure Cosmos DB is Microsoft's globally distributed, multi-model database service.
References:
https://docs.microsoft.com/en-us/azure/devops/repos/get-started/what-is-repos?view=azure-devops
RohitRai89 Highly Voted 2 years, 3 months ago
I instantly thought of Devops, but to my surprise it isn't there. What is Azure Repos, never heard.
upvoted 26 times
Slawx 1 year, 3 months ago
https://azure.microsoft.com/en-us/services/devops/repos/
Git Repositories
upvoted 5 times
JerryW 2 years, 3 months ago
What is it like if you do not pay your invoice they come and repo your subscription lol
upvoted 9 times
lchade 4 months, 1 weekago
Repos is correct (so is DevOps if it exists in the choices). Repos is a section in DevOps.
upvoted 2 times
Sisb 7 months,4 weeks ago
Me too, I at once thought of DevOps as a developer . Funny
upvoted 3 times
JC_de_Sevilla Most Recent 2 months, 1 week ago
Selected Answer: A
Correct Answer is A.
upvoted 1 times
Pa1theAchiever 2 months, 2 weeks ago
Azure Repos
upvoted 1 times
cuentaalternajsr 3 months, 1 week ago
Repos, es correcto
upvoted 1 times
JKRowlings 4 months, 3 weeks ago
Azure Repos is Microsoft version of GitHub which has version control
upvoted 1 times
Rodz 5 months ago
Ais correct. All the rest are not related to Repository expect "Azure Repos"
upvoted 1 times
Mouhammad1 9 months, 2 weeks ago
Repos set of version
upvoted 1 times
RahulSen 1 year ago
Answer is Correct
upvoted 2 times
bgi 1 year, 3 months ago
it's Azure Repo
https://docs.microsoft.com/en-us/learn/modules/azure-devops-devtest-labs/2-identify-product-options
upvoted 1 times
Gerardo1971 1 year, 4 months ago
Correct answer
upvoted 3 times
SilkyS19 1 year, 4 months ago
Correct Answer -A
Azure Repos is a set of version control tools that you can use to manage your code. Whether your software project is large or small, using
version control as soon as possible is agood idea.
upvoted 4 times
[Removed]1 year, 5 months ago
repos = repository
upvoted 3 times
panal 1 year, 6 months ago
Correct Answer is A.
Azure repo is apart of Azure DevOps
upvoted 4 times
Sultanista 2 years, 2 months ago
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 368/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
It is correct.
REF: first line of - https://docs.microsoft.com/en-us/azure/devops/repos/get-started/what-is-repos?view=azure-devops
upvoted 1 times
Cloudyuga 2 years, 2 months ago
azure repos correct
upvoted 4 times
Yani_Bear 2 years, 3 months ago
https://docs.microsoft.com/en-us/azure/devops/repos/get-started/what-is-repos?view=azure-devops
upvoted 3 times
sid_number0 2 years, 4 months ago
Azure DevOps? Which isnt even there
upvoted 3 times
Shamos 2 years, 4 months ago
"version control tools " means Azure Repo and its part of devOps
upvoted 5 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 369/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #215
HOTSPOT -
You need to manage Azure by using Azure Cloud Shell.
Which Azure portal icon should you select? To answer, select the appropriate icon in the answer area.
Hot Area:
Correct Answer:
You can access Azure Cloud Shell in the Azure portal by clicking the icon.
Azure Cloud Shell is an interactive, authenticated, browser-accessible shell for managing Azure resources. It provides the flexibility of choosing
the shell experience that best suits the way you work, either Bash or PowerShell.
Cloud Shell enables access to a browser-based command-line experience built with Azure management tasks in mind.
References:
https://docs.microsoft.com/en-us/azure/cloud-shell/overview?view=azure-cli-latest
Jurial Highly Voted 2 years,7 months ago
Select the button on top right side which is similar to ">-" signed.
upvoted 44 times
Rui05 Highly Voted 2 years ago
Came in exam today
upvoted 14 times
Pa1theAchiever Most Recent 2 months,2 weeks ago
correct
upvoted 1 times
cuentaalternajsr 3 months, 1 week ago
Es correcto.
upvoted 1 times
Arvind_Kumar_Avinash 3 months, 3 weeks ago
Click the icon with '>_' sign i.e. the icon right to the search input box.
upvoted 1 times
cormorant 6 months, 1 week ago
azure cloud shell >>>>>>>>>>>
upvoted 1 times
mafermv 7 months ago
Me salio en el examen 14/02/2022
upvoted 3 times
Ahlay 8 months ago
Got it on 01-14-2022
upvoted 4 times
RichC 9 months, 3 weeks ago
appear 26 Nov
upvoted 1 times
himanshu_90677 9 months, 3 weeks ago
select " >_ "
upvoted 1 times
Azuni 9 months, 3 weeks ago
Igot this question in the exam 22/11/2021
upvoted 1 times
MayankC 9 months, 3 weeks ago
Go this on on 22-Nov-2021
upvoted 1 times
Crash_Override1PhantomPhreak 10 months, 2 weeks ago
Got this on exam 4 days ago
upvoted 1 times
BL101 11 months, 2 weeks ago
ihad this in the exam - make sure you have selected the icon properly - I thought I had but it said I hadn't answered the question when I
went back through
upvoted 2 times
AoifeK98 11 months, 3 weeks ago
appeared on 27.9.21
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 370/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
upvoted 2 times
RahulSen 1 year ago
Answer is Correct
upvoted 2 times
Raviraj441 year, 1 monthago
Select powershell icon
upvoted 2 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 371/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #216
You have a virtual machine named VM1 that runs Windows Server 2016. VM1 is in the East US Azure region.
Which Azure service should you use from the Azure portal to view service failure notifications that can affect the availability of VM1?
A. Azure Service Fabric
B. Azure Monitor
C. Azure virtual machines
D. Azure Advisor
Correct Answer: C
In the Azure virtual machines page in the Azure portal, there is a named Maintenance Status. This column will display service issues that could
affect your virtual machine. A service failure is rare but host server maintenance that could affect your virtual machines is more common.
Azure periodically updates its platform to improve the reliability, performance, and security of the host infrastructure for virtual machines. The
purpose of these updates ranges from patching software components in the hosting environment to upgrading networking components or
decommissioning hardware.
References:
https://docs.microsoft.com/en-us/azure/virtual-machines/maintenance-and-updates
Himanshumittal500 Highly Voted 2 years,7 months ago
Azure Monitor maximizes the availability and performance of your applications by delivering a comprehensive solution for collecting,
analyzing, and acting on telemetry from your cloud and on-premises environments. It helps you understand how your applications are
performing and proactively identifies issues affecting them and the resources they depend on.
upvoted 96 times
habibbashar 1 year, 2 months ago
what is the real ans for this question...?? Pls inform me.
upvoted 6 times
Georgess 10 months, 3 weeks ago
I would go with B.
upvoted 6 times
sam2k 1 year ago
C. Azure Virtual Machine
upvoted 6 times
troublestarterx Highly Voted 2 years, 4 months ago
This is in Azure Virtuel Machine : https://docs.microsoft.com/en-us/azure/virtual-machines/maintenance-notifications-portal
upvoted 66 times
papaka Most Recent 2 weeks, 5 days ago
I personally think that Azure resource Health would be an exemplary azure service in this regard, however, it's not indicated in any of the
existing solutions.
upvoted 1 times
AdminAy 2 weeks, 6 days ago
Selected Answer: B
I believe the answer is C.
Option B states 'virtual machines' - which is azure's service for creating or deleting VMs, not managing them. If the option specified on
the VM1 machine, it could be a whole different ball game. Azure Monitors seems to be the closest option to monitoring service failures on
VMS
upvoted 1 times
IssaZeidan 3 weeks, 2 days ago
Selected Answer: B
The correct answer is B
upvoted 2 times
leusa 1 monthago
Selected Answer: B
It should be B Azure Monitor Azure Monitor brings together all your monitoring settings and data into one consolidated view. It first
opens to the Activity log section.
https://docs.microsoft.com/en-us/azure/service-health/service-notifications
upvoted 1 times
Lazylinux 1 month,1 weekago
Selected Answer: B
B For sure
In Azure portal go to Monitor => Service Health
upvoted 2 times
A_N_A_N_Y_A 2 months, 1 week ago
Correct answer is B.
https://docs.microsoft.com/en-us/azure/service-health/service-notifications
upvoted 2 times
Kruser 2 months, 2 weeks ago
Selected Answer: B
Correct
upvoted 1 times
Agre 2 months, 2 weeks ago
Azure CLI
Cross-platform command-line interface, installable on Windows, macOS, Linux
Runs in Windows PowerShell, Cmd, or Bash and other Unix shells.
Azure PowerShell
Cross-platform PowerShell module, runs on Windows, macOS, Linux
Requires Windows PowerShell or PowerShell
Correct answer: A
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 372/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Agre 2 months, 2 weeks ago
Selected Answer: B
Correct
upvoted 1 times
Agre 2 months, 2 weeks ago
Selected Answer: C
Correct
upvoted 3 times
Pa1theAchiever 2 months, 2 weeks ago
Azure VN
upvoted 1 times
silviogremio 2 months, 3 weeks ago
Selected Answer: B
I understand that Azure Monitor provides informations about resources but the main point here was, the conext about Region. Microsoft
can expecificly tell about issues that may affect VM in a expecific section in VM management painel.
upvoted 1 times
silviogremio 2 months, 3 weeks ago
Correcting, letter C) can't update my selected Answwer
upvoted 2 times
bouti 2 months, 3 weeks ago
should be azure monitor because in azure monitor we can see the ram cpu usage etc.
upvoted 1 times
Wuang 3 months, 1 weekago
Selected Answer: B
Azure Monitor is the correct answer in my opinion
upvoted 1 times
EmmaW 3 months, 1 week ago
The correct answer should be Azure Monitor. From there, we go to Azure Service Health, and it can show us the health status of the VMs.
upvoted 3 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 373/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #217
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your Azure environment contains multiple Azure virtual machines.
You need to ensure that a virtual machine named VM1 is accessible from the Internet over HTTP.
Solution: You modify an Azure Traffic Manager profile.
Does this meet the goal?
A. Yes
B. No
Correct Answer: B
Azure Traffic Manager is a DNS-based load balancing solution. It is not used to ensure that a virtual machine named VM1 is accessible from the
Internet over
HTTP.
To ensure that a virtual machine named VM1 is accessible from the Internet over HTTP, you need to modify a network security group or Azure
Firewall.
In this question, we need to add a rule to a network security group or Azure Firewall to allow the connection to the virtual machine on port 80
(HTTP).
References:
https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-overview
pcce5w2hlh Highly Voted 2 years, 8 months ago
Answer is B.
Becoz Traffic Manager is used to distribute traffic at DNS level across different regions.
upvoted 62 times
Clouddog 2 years, 2 months ago
https://azure.microsoft.com/nl-nl/resources/videos/how-azure-traffic-manager-works/
upvoted 4 times
gassen Highly Voted 2 years, 3 months ago
just for the future
If the Question doesn't raise any question please stop posting comments, it's a source of frustration and Confusion
upvoted 46 times
PeteMitchell 2 years, 3 months ago
I actually enjoy having context to why one option is not valid, let people comment and be happy they are there to do so.
upvoted 50 times
redredeye 2 years, 2 months ago
Iagree. I prefer more context too.
upvoted 6 times
P69 2 years, 2 monthsago
responses of people are useful to understand justifications
upvoted 9 times
Zenti 2 years, 2 months ago
justifications for answers is the whole point on the Discussion section
upvoted 6 times
nick1970 2 years ago
The problem is most of the people are only saying yes or no. They don't explain why.
upvoted 4 times
Piiri565 2 years, 1 monthago
I think comments make the concepts to understand much better, just by knowing the answer and moving to the next question.Let the
people connect .Its the source of Knowledge
upvoted 6 times
nick1970 2 years ago
100 thumbs up. So true.
upvoted 1 times
Enits 1 year, 9 monthsago
Its good to get broader perspective from different people
upvoted 3 times
mufflon Most Recent 9 months, 1 weekago
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
upvoted 1 times
Tonyburg 10 months, 2 weeks ago
Why do you guys repeat the solution when it is correct? Please comment something that actually adds up. An explanation or a link are
welcome, the rest is bullsh*t
upvoted 1 times
panal 1 year, 6 months ago
Answer is B.
upvoted 1 times
LTI_Bois 1 year, 7 monthsago
Ans is B
upvoted 1 times
gyxo 1 year, 8 monthsago
my exam is today, wish me luck
upvoted 9 times
Ebenezer 1 year, 10 months ago
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 374/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
You need to modify an Azure Firewall.
upvoted 1 times
AmyBdz 1 year, 11 months ago
Yes, B.
upvoted 1 times
GeneCarl 2 years ago
True letter b
upvoted 1 times
DDV 2 years ago
perfect comments are very useful, please continue doing as it helps in the learning journey
upvoted 1 times
MK1368 2 years ago
B answer
upvoted 1 times
stace 2 years, 2 months ago
no is correct
upvoted 1 times
emraanmeer 2 years, 2 months ago
correct
upvoted 1 times
JohnathhanWick 2 years, 6 months ago
azure firewall.....as the previous question
upvoted 2 times
mikamozg 9 months, 4 weeks ago
previous question should be nsg
upvoted 1 times
MPAzureTraining900 2 years, 7 months ago
You modify an Azure firewall. Correct Answer is B
upvoted 3 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 375/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #218
Your company plans to deploy several web servers and several database servers to Azure.
You need to recommend an Azure solution to limit the types of connections from the web servers to the database servers.
What should you include in the recommendation?
A. network security groups (NSGs)
B. Azure Service Bus
C. a local network gateway
D. a route filter
Correct Answer: A
A network security group works like a firewall. You can attach a network security group to a virtual network and/or individual subnets within the
virtual network.
You can also attach a network security group to a network interface assigned to a virtual machine. You can use multiple network security
groups within a virtual network to restrict traffic between resources such as virtual machines and subnets.
You can filter network traffic to and from Azure resources in an Azure virtual network with a network security group. A network security group
contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
sheddy Highly Voted 2 years, 7 months ago
Keyword is "several". You will want to use a group for multiple VMs traffic rules.
upvoted 28 times
Rainman 2 years, 2 months ago
but i was expecting to see either "A fire wall" or "multiple NSGs" .
upvoted 5 times
LexusNX425 2 years, 1 monthago
You could have multiple VMs in a single NSG
upvoted 4 times
success101 Highly Voted 2 years, 8 months ago
Ais correct
upvoted 25 times
kaushu400 2 years, 7 months ago
oh really?
upvoted 14 times
nexter 2 years, 7 months ago
oh yeah
upvoted 36 times
getazusername 1 year, 10 months ago
ouh yeah!
upvoted 1 times
shashu07 1 year, 10 months ago
Keyword is "web servers and several database servers to Azure" ie internal traffic to VMs, so answer is NSG.
We can consider Firewall, its point to external traffic to VMs
upvoted 13 times
Leito82 Most Recent 1 month,3 weeks ago
Key word is "limit". A NSG does just that.
upvoted 2 times
Krissy90 6 months ago
NSG Must be something like NetworkPolices for Kubernetes.
upvoted 1 times
fercho 1 year ago
Appeared on 05 Sep 2021
upvoted 3 times
taoj 1 year, 3 monthsago
Got it on 01 Jun 2021
upvoted 3 times
Gerardo1971 1 year, 4 months ago
Correct answer
upvoted 1 times
Siwe 1 year, 4 months ago
Definately NSG
upvoted 1 times
shalinics1211111 1 year, 5 months ago
am not having the access to see all the questions, can these 100 questions sufficient
upvoted 1 times
sdas2021 1 year, 5 months ago
Ais correct. This came in the test yesterday.
upvoted 4 times
panal 1 year, 6 months ago
Answer is B.
upvoted 2 times
Andyk19 1 year, 3 months ago
good luck
upvoted 4 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 376/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
FabiZamora93 1 year, 4 months ago
You comment on all questions but never justify...
upvoted 7 times
serget12 1 year, 7 months ago
I would think an Application Gateway would work best
upvoted 2 times
AcetheTest 1 year, 10 months ago
I took connection "type" to mean protocol, which is an option within network security groups. the word "limit" might throw someone off,
but ultimately limiting the protocols just means picking and choosing which ones are okay.
"For each rule, you can specify source and destination, port, and protocol."
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
upvoted 1 times
Stuudent 1 year, 11 months ago
Was on exam today.
upvoted 8 times
AppleVan 2 years ago
Why is local network gateway is not right?
upvoted 2 times
Stuudent 1 year, 11 months ago
I guess the reasoning is that it network gateways are primarily used to connect on-prem network with cloud, not to limit access
between devices. IF you think about it, if you put databases on a separate network, you will still need NSGs to regulate access to this
network.
upvoted 3 times
Saman25 2 years ago
We don't have the option of application security group but this can be achieved using NSG also by placing web servers and database
servers in different subnets. therefore, A is correct.
upvoted 3 times
Meatface 2 years ago
NSG can't limit "types of connections"
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 377/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #219
HOTSPOT -
To complete the sentence, select the appropriate option in the answer area.
Hot Area:
Correct Answer:
You would use the Azure Activity Log, not Access Control to view which user turned off a specific virtual machine during the last 14 days.
Activity logs are kept for 90 days. You can query for any range of dates, as long as the starting date isn't more than 90 days in the past.
In this question, we would create a filter to display shutdown operations on the virtual machine in the last 14 days.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-audit
AZ900Rocks Highly Voted 1 year, 3 monthsago
absolutely correct.
upvoted 8 times
SSB112 Highly Voted 7 months, 3 weeks ago
What is the difference between Activity Log & Event Hub?
upvoted 5 times
sdokmak 6 months, 2 weeks ago
"View the Azure Activity log and send it to Azure Monitor Logs, Azure Event Hubs, and Azure Storage."
upvoted 1 times
SWOng07 Most Recent 1 year, 3 monthsago
correct
upvoted 2 times
Figgy_123 1 year, 4 months ago
Absolutely Right
upvoted 4 times
yesican 1 year, 5 monthsago
yes, i, can
upvoted 4 times
panal 1 year, 6 months ago
Correct
upvoted 4 times
kanak01 1 year, 4 months ago
Admin should restrict this guy from posting any comment
upvoted 14 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 378/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #220
Which service provides network traffic filtering across multiple Azure subscriptions and virtual networks?
A. Azure Firewall
B. an application security group
C. Azure DDoS protection
D. a network security group (NSG)
Correct Answer: A
You can restrict traffic to multiple virtual networks in multiple subscriptions with a single Azure firewall.
Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It's a fully stateful
firewall as a service with built-in high availability and unrestricted cloud scalability.
You can centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks. Azure
Firewall uses a static public IP address for your virtual network resources allowing outside firewalls to identify traffic originating from your
virtual network.
References:
https://docs.microsoft.com/en-us/azure/firewall/overview
vate01 Highly Voted 2 years,4 months ago
I was here.
upvoted 29 times
alex100 2 years, 3 months ago
You were not alone ;)
upvoted 15 times
sandeep1111 1 year, 6 months ago
correct
upvoted 2 times
Min_Thu Highly Voted 1 year, 5 months ago
The Azure Firewall service complements network security group functionality. Together, they provide better "defense-in-depth" network
security. Network security groups provide distributed network layer traffic filtering to limit traffic to resources within virtual networks in
each subscription. Azure Firewall is a fully stateful, centralized network firewall as-a-service, which provides network- and application-level
protection across different subscriptions and virtual networks.
NSG can filter network within subscription and Azure firewall is across different subscription. So Ans is Azure Firewall
upvoted 20 times
chuchu98 Most Recent 2 months,1 weekago
correct
upvoted 1 times
Anil7177 6 months ago
Got this on 3/13/2022
upvoted 3 times
MS_Learner 7 months, 1 week ago
Got Feb 10, 2022
upvoted 2 times
mufflon 9 months, 1 weekago
Network security groups provide distributed network layer traffic filtering to limit traffic to resources within virtual networks in each
subscription. Azure Firewall is a fully stateful, centralized network firewall as-a-service, which provides network- and application-level
protection across different subscriptions and virtual networks.
upvoted 4 times
Azuni 9 months, 3 weeks ago
Igot this question in the exam 22/11/2021
upvoted 1 times
Azuni 10 months ago
Filtering = Firewall
upvoted 1 times
easygo68 10 months, 1 weekago
Be asked in the 11.11.2021 exam!
upvoted 2 times
panagiss 1 year, 1 month ago
Do you guys see the questions during the exam? is that possible?
upvoted 1 times
Hibin 1 year ago
No, we have to answer blindly without knowing what is being asked.
upvoted 31 times
iwarakorn 1 year, 2 months ago
Got in exam July02,2021
upvoted 1 times
AZ900Rocks 1 year, 3 months ago
Firewall is correct because its question mentions between subscription and virtual networks
upvoted 5 times
panal 1 year, 6 months ago
Correct
upvoted 2 times
Olabua 1 year, 7 months ago
This site is unique.
upvoted 6 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 379/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Azurite 1 year, 7 months ago
The answer Azure firewall is correct.
Azure network security group (NSG) is used to filter network traffic to and from Azure resources in an Azure virtual network. Event within
a VNET, NSG rules can become difficult to manage in large environments that contain multiple subnets and virtual machines. Ofcourse
Application Security Groups (ASGs) come to the rescue which allows to logically group of virtual machines that allows you to apply security
rules at scale.
The question specifically asks for restricting traffic to multiple virtual networks in multiple subscriptions. NSG stands no chance. Only,
Azure Firewall can be used for this which is a highly available, managed firewall service that filters network and application level traffic. It
has the ability to process traffic across subscriptions and VNets that are deployed in ahub-spoke model.
upvoted 4 times
theOtherGuy 2 years ago
The Keyword here is across subscriptions. "You can centrally create, enforce, and log application and network connectivity policies across
subscriptions and virtual networks"
https://docs.microsoft.com/en-us/azure/firewall/overview
upvoted 7 times
TDAC 2 years ago
Ais the correct answer. From here: https://docs.microsoft.com/en-us/azure/firewall/overview
"You can centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks. "
upvoted 5 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 380/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #221
Which Azure service should you use to store certificates?
A. Azure Security Center
B. an Azure Storage account
C. Azure Key Vault
D. Azure Information Protection
Correct Answer: C
Azure Key Vault is a secure store for storage various types of sensitive information including passwords and certificates.
Azure Key Vault can be used to Securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets.
Secrets and keys are safeguarded by Azure, using industry-standard algorithms, key lengths, and hardware security modules (HSMs). The HSMs
used are
Federal Information Processing Standards (FIPS) 140-2 Level 2 validated.
Access to a key vault requires proper authentication and authorization before a caller (user or application) can get access. Authentication
establishes the identity of the caller, while authorization determines the operations that they are allowed to perform.
References:
https://docs.microsoft.com/en-us/azure/key-vault/key-vault-overview
MartinMystere Highly Voted 2 years, 9 months ago
Certificate Management - Azure Key Vault is also a service that lets you easily provision, manage, and deploy public and private Secure
Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with Azure and your internal connected resources
upvoted 19 times
success101 Highly Voted 2 years, 8 months ago
Cis correct
upvoted 8 times
GetAzure Most Recent 1 week, 5 days ago
Selected Answer: C
is Correct 'C'
upvoted 1 times
Siraf 2 months, 1 week ago
zure Key Vault is a cloud service for securely storing and accessing secrets. A secret is anything that you want to tightly control access to,
such as API keys, passwords, certificates, or cryptographic keys. Key Vault service supports two types of containers: vaults and managed
hardware security module(HSM) pools.
Answer is C
upvoted 1 times
bratukham 8 months, 2 weeks ago
Selected Answer: C
Of course, C
upvoted 1 times
nrjmatta 9 months, 3 weeks ago
Selected Answer: C
Correct Answer!
upvoted 2 times
AZ900Rocks 1 year, 3 months ago
agree.Key vault stored the certificate
upvoted 1 times
Gerardo1971 1 year, 4 months ago
Correct answer
upvoted 1 times
rob_724 1 year, 6 monthsago
yes its key vault -- i speak from experience. we set up cdn and for custom domains needing certs (to avoid cert mismatch issues) they are
stored on key vault
upvoted 1 times
panal 1 year, 6 months ago
Correct
upvoted 2 times
kjon16 1 year, 8 months ago
C should be correct
upvoted 1 times
vmn52222 1 year, 11 months ago
cis correct
upvoted 1 times
MK1368 2 years ago
cis correct
upvoted 1 times
Cloudyuga 2 years, 3 months ago
yes it C.Azure Key Vault
upvoted 1 times
sniper999 2 years, 3 months ago
Azure Key Vault is correct for managing certificates.
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 381/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #222
Which Azure service can you use as a security information and event management (SIEM) solution?
A. Azure Analysis Services
B. Azure Sentinel
C. Azure Information Protection
D. Azure Cognitive Services
Correct Answer: B
Reference:
https://azure.microsoft.com/en-in/services/azure-sentinel/
Grape15 Highly Voted 1 year, 2 monthsago
Can be remembered as "SIEMtinel" ;)
upvoted 75 times
Ariana_Monalisa Highly Voted 1 year, 3 months ago
Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated
response (SOAR) solution.
upvoted 17 times
HHHo Most Recent 4 months, 4 weeks ago
Got this in exam on 2022.04.18
upvoted 2 times
tacobear 6 months ago
it was on exam on 03/12/2022.
upvoted 2 times
Jason71 11 months ago
Got this on the 19/10/2021 exam!
upvoted 2 times
alejobaena 11 months ago
16oct2021
upvoted 1 times
diogoweb 1 year ago
Got it on 06-09-2021
upvoted 2 times
fercho 1 year ago
Appeared on 05 Sept 2021
upvoted 1 times
Ashok160990 1 year ago
In exam on 21 Aug 2021.
upvoted 1 times
Sarahxx 1 year, 1 month ago
appeared 18th July 2021
upvoted 1 times
Edittler 1 year, 2 months ago
Azure Sentinel es una plataforma de Administración de eventos e información de seguridad (SIEM) nativa en la nube que utiliza
inteligencia artificial integrada para facilitar el análisis rápido de grandes volúmenes de datos en una empresa. ... Sí, Azure Sentinel se
basa en la plataforma Azure.
upvoted 2 times
ccalvarezp 1 year, 2 months ago
de acuerdo esa es la respuesta
upvoted 1 times
examtopics_miky28 1 year, 3 months ago
Got in on 17.6.2021
upvoted 5 times
mpooja 1 year, 3 monthsago
Appeared in 05 - Jun -21 Exam
upvoted 2 times
taoj 1 year, 3 months ago
Got it on 01 Jun 2021
upvoted 2 times
Adefe 1 year, 3 months ago
Correct
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 382/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #223
HOTSPOT -
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/overview
wendyy Highly Voted 1 yearago
I think the first should be NO. Azure Sentinel use Log Analytics workspace to stored log. After 90 days if Sentinel is enabled. Then you can
export of logs from your Log Analytics workspace to destinations such as Azure Storage and Event Hub.
upvoted 20 times
wendyy1 year ago
More for this: Log Analytics workspace will keep your log inforatmion, after 90 days, you need pay money per G/month. If you want to
use your storage account to store log, you need pay money to export log into your storage account or Event Hub. So first one is NO.
storage account is only one option you can transfer log if you don't want pay money to keep. Log Analytics workspace is correct place.
upvoted 3 times
VincentvdS Highly Voted 1 yearago
Sentinel Stores your events in aLog Analytics workspace and can retrieve events from a starage location. it doesnt store the events in a
storage location.
upvoted 10 times
Contactfornitish Most Recent 6 months ago
First answer is incorrect. As pointed out by others, Sentinel doesn't store content in storage account but in Log Analytics. Can say for sure
since completed SC-200 few weeks back and SC-900 with 1000/1000 and one of the question was similar
upvoted 6 times
PreethiP 7 months, 3 weeks ago
NYY - Stores events in Log Analytics workspace
upvoted 1 times
atilla 8 months, 3 weeks ago
now called Microsoft Sentinel
upvoted 2 times
peymani 8 months, 3 weeks ago
https://azure.microsoft.com/en-us/pricing/details/azure-sentinel/
Microsoft Sentinel provides intelligent security analytics across your enterprise. The data for this analysis is stored in an Azure Monitor Log
Analytics workspace. Microsoft Sentinel is billed based on the volume of data ingested for analysis in Microsoft Sentinel and stored in the
Azure Monitor Log Analytics workspace. Microsoft Sentinel offers a flexible and predictable pricing model. There are two ways to pay for
the Microsoft Sentinel service: Capacity Reservations and Pay-As-You-Go.
Q1: NO
upvoted 2 times
mufflon 9 months, 1 weekago
By default, logs ingested into Microsoft Sentinel are stored in Azure Monitor Log Analytics, So Q1 is NO
upvoted 1 times
swapnasantoshi 9 months, 2 weeks ago
what is the ans for Q1?
upvoted 1 times
jonnyazure 9 months, 3 weeks ago
SO for #1 whats the answer?
upvoted 1 times
diogoweb 1 year ago
Got it on 06-09-2021
upvoted 5 times
xian051 year ago
Yes,Yes, Yes
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 383/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
upvoted 4 times
xian051 year ago
Azure Sentinel stores collected events in an Azure Storage account:
This connector lets you stream your Azure Storage accounts’ diagnostics logs into Azure Sentinel
The Azure Storage account connector is currently in PREVIEW
https://docs.microsoft.com/en-us/azure/sentinel/connect-azure-storage-account
Think this is Yes, even though it is in preview.
upvoted 2 times
GitGnomed 12 months ago
I think you miss interpreted the question here. It states that Azure Sentinel stores its collected events in an Azure Storage account,
and not that an Azure Storage account can send it's diagnostic logs to Azure Sentinel. Since Azure Sentinel uses a Log Analytics
workspace to store its collected events and not an Azure Storage account, the answer to this question is no.
upvoted 1 times
xian051 year ago
Azure Sentinel can collect Windows Defender Firewall Logs from Azure virtual machines.
The Windows Defender Firewall with Advanced Security connector allows Azure Sentinel to easily ingest Windows Defender Firewall
with Advanced Security logs from any Windows machines in your workspace.
https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-firewall
So, Yes, with a connector you can collect these logs.
upvoted 1 times
xian05 1 year ago
On second look, I notice the keyword 'can' with Q2 & Q3 and not with Q1.
Q1 Can only connect with a connector, so not by default.
Will change my answer to NYY.
upvoted 3 times
xian051 year ago
Azure Sentinel can remediate incidents automatically:
Playbooks are collections of procedures that can be run from Azure Sentinel in response to an alert or incident. A playbook can help
automate and orchestrate your response, and can be set to run automatically when specific alerts or incidents are generated, by being
attached to an analytics rule or an automation rule, respectively.
https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook
So, YES, after setting up rules, it should be able to remediate incidents auto.
upvoted 5 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 384/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #224
DRAG DROP -
Match the Azure Services service to the correct descriptions.
Instructions: To answer, drag the appropriate service from the column on the left to its description on the right. Each service may be used once,
more than once, or not at all.
NOTE: Each correct match is worth one point.
Select and Place:
Correct Answer: Incorrect Answer:
Box 1: Azure Sentinel -
Box 2: Azure Security Center -
Box 3: Azure Key Vault -
Azure Active Directory (Azure AD)
Azure AD is an identity and access management service, which helps your employees sign in and access resources
Azure Lighthouse
Azure Lighthouse is used for cross- and multi-tenant management.
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/overview
https://docs.microsoft.com/en-us/azure/security-center/secure-score-security-controls https://practical365.com/securing-sensitive-
information-in-azure-functions-with-the-azure-key-vault/ https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-
directory-whatis https://docs.microsoft.com/en-us/azure/lighthouse/overview
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 385/598
xian05 Highly Voted 1 year ago
Azure Sentinel, Azure Security Center, Azure Key Vault
Azure Sentinel
Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated
response (SOAR) solution.
https://docs.microsoft.com/en-us/azure/sentinel/overview
Security mgmt aka analyze security log files.
Azure Security Center
The central feature in Security Center that enables you to achieve those goals is secure score.
https://docs.microsoft.com/en-us/azure/security-center/secure-score-security-controls
Azure Key Vault
Storing passwords is always the key vault
upvoted 37 times
Custodian Most Recent 6 months ago
21 november 2021:
"Azure Security Center and Azure Defender are now called <strong>Microsoft Defender for Cloud</strong>. We've also renamed Azure
Defender plans to Microsoft Defender plans. For example, Azure Defender for Storage is now Microsoft Defender for Storage."
upvoted 2 times
tacobear 6 months ago
it was on exam on 03/12/2022.
upvoted 1 times
shakyak 11 months ago
This is correct
upvoted 2 times
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #225
HOTSPOT -
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: No -
Azure firewall does not encrypt network traffic. It is used to block or allow traffic based on source/destination IP address, source/destination
ports and protocol.
Box 2: No -
A network security group does not encrypt network traffic. It works in a similar way to a firewall in that it is used to block or allow traffic based
on source/ destination IP address, source/destination ports and protocol.
Box 3: No -
The question is rather vague as it would depend on the configuration of the host on the Internet. Windows Server does come with a VPN client
and it also supports other encryption methods such IPSec encryption or SSL/TLS so it could encrypt the traffic if the Internet host was
configured to require or accept the encryption.
However, the VM could not encrypt the traffic to an Internet host that is not configured to require the encryption.
Reference:
https://docs.microsoft.com/en-us/azure/security/azure-security-data-encryption-best-practices#protect-data-in-transit
Salilgen Highly Voted 1 year, 7 months ago
I think last answer is YES: Windows 2016 can encrypt data
upvoted 34 times
werbinich 1 year, 5 months ago
Ok, but could you please mention the feature or technique which Win16 uses to encrypt network traffic ?
upvoted 2 times
Hanzz 1 year, 2 months ago
Windows 8.1, Windows Server 2012 R2, Windows 10, Windows Server 2016, and later versions of Windows natively support TLS 1.2
for client-server communications over WinHTTP.
upvoted 1 times
[Removed] 12 months ago
SMB 3.x
upvoted 1 times
SimonR2 1 year, 5 months ago
Transport Layer Securtiy (TLS)
upvoted 6 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 386/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Cis 1 year, 3 months ago
thats only part of VPN
upvoted 4 times
alexandru_chirita 10 months, 3 weeks ago
Any (modern) web server installed on a Windows server 2016 could use TLS (or HTTPS bindings) - because that's how agood
web server should be (and a common feature too).
upvoted 1 times
thebadfella 1 year ago
By default, any Windows doesn't encrypt outgoing/incoming traffic unless there a VPN setup. So answer is correct "No"
upvoted 14 times
alexandru_chirita 10 months, 3 weeks ago
You don't need aVPN to encrypt traffic.
Install an SQL Server and configure TLS connections and you have encrypted traffic.
Install an IIS web server (in windows features, anyone can have it) and configure HTTPS bindings and you have encrypted traffic.
You can also deny HTTP traffic in IIS and allow only the HTTPS encrypted connections.
upvoted 3 times
wolfobi 8 months ago
You are correct except question is "Can encrypt data SENT to internet", so question is only about outbound data.
upvoted 3 times
lovecloud2 9 months, 1 weekago
Yes captain obvious. Keyword is by default, it doesnt do that.
upvoted 3 times
ExamTopicsAdmin1 1 month,3 weeks ago
Umm actually, by default it does send data encrypted to the internet. What is going to be one of the first things you do when
you stand up a VM? Go to the internet. Let's say you stood up the VM and decided to upload files to OneDrive using a
browser. What protocol is that browser going to leverage? That's right SSL with some form of TLS encrypting the data. This
should be yes.
upvoted 1 times
Hibin 1 year ago
Windows CAN encrypt data, which is all that is being asked for.
In matters like this where the correct answer is ambiguous, I'm inclined to go with the one that makes Microsoft look good.
upvoted 12 times
hercu Highly Voted 1 year, 6 months ago
Box 3 is also "NO".
You cannot encrypt ALL kind of traffic from Azure VMs sent to the Internet!
You can only encrypt traffic between two TRUSTED endpoints. Obviously the Internet isn't the trusted endpoint. In order to make it work,
the use of aVPN gateway is required, and then the traffic can be encrypted "over" the public connection - Internet, between Azure
VMs/vNets and the trusted on-premises locations.
"You can use an Azure VPN gateway to send encrypted traffic between your virtual network and your on-premises location across a public
connection, or to send traffic between virtual networks." References: https://docs.microsoft.com/en-
us/azure/security/fundamentals/encryption-overview
upvoted 21 times
SimonR2 1 year, 5 months ago
There is no VPN gateway required. This is simply asking about enrypting network traffic which pretty much every webserver in
existance is able to do, whether its based on the internet or internal network communications.
The two endpoints don't necessarily have to trust each other. Its usually one-sided unless with the server needing to prove its
trustworthy, unless there is client cert authentication too. All that needs to happen is that a server presents a public cert on the initial
client connection and the client decides whether or not to trust the server during the TLS handshake. This depends on details on the
cert such as the CA and available ciphers they agree upon.
Once the TLS handshake is completed and both sides have the the symmetric keys then the server begins encrypting data and sending
it out over the network for the client to decrypt and vice versa.
Can an azure VM that runs windows server 2016 encrypt network traffic? The answer is definitely Yes, or microsoft would be going
quickly out of business.
upvoted 12 times
bytoki 1 year, 3 months ago
Definitely this is the 2nd most BS question from Microsoft after that Powershell in CLI question
upvoted 8 times
Mozbius_ 9 months, 2 weeks ago
Iagree.
upvoted 1 times
_your__fear_ Most Recent 2 months ago
n n yyyyyyyy
upvoted 1 times
XP_2600 3 months, 1 week ago
Any Windows NT since V.4 can encrypt data using IPSec tunnel, why third choice is NO ?
upvoted 2 times
mehasi 4 months, 4 weeks ago
NO
NO
YES - Azure virtual machines that run Windows Server 2016 * * * c a n * * * encrypt the network traffic sent from the virtual machies to a host
on the Internet.
Notice "can", given that Windows Server 2016 can be configured to do so
upvoted 2 times
Contactfornitish 6 months ago
This one would be all three NO but beware, only situation when it would be true if VPN is involved.
upvoted 3 times
SSB112 7 months, 3 weeks ago
y using SMB 3.0 in VMs that are running Windows Server 2012 or later, you can make data transfers secure by encrypting data in transit
over Azure Virtual Networks. By encrypting data, you help protect against tampering and eavesdropping attacks. Administrators can
enable SMB encryption for the entire server, or just specific shares.
Is it not applicable here, because of windows version is not mentioed?
upvoted 1 times
TheKraemer 8 months ago
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 387/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Got this from: https://pupuweb.com/microsoft-azure-fundamentals-az900-actual-exam-question-answer-dumps-3/2/
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 388/598
The Question (213) was: Azure virtual machines that run Windows Server 2016 can encrypt the network traffic sent from the virtual
machies to a host on the Internet.
Answer: No
The question is rather vague as it would depend on the configuration of the host on the Internet. Windows Server does come with a VPN
client and it also supports other encryption methods such IPSec encryption or SSL/TLS so it could encrypt the traffic if the Internet host
was configured to require or accept the encryption. However, the VM could not encrypt the traffic to an Internet host that is not
configured to require the encryption.
upvoted 2 times
mmmmmnm 8 months, 4 weeks ago
No, No, No.
Firewall, NSG, and Windows do not encrypt the network traffic. Just do filtering.
upvoted 3 times
Mozbius_ 9 months, 2 weeks ago
If I turn on the faucet at home, can there be no water coming out?
LOL!!! That 3rd question I swear!!! Who manages to come up with them!?!?!!?!?!
upvoted 4 times
Mozbius_ 9 months, 2 weeks ago
That type of question is why you better know your stuff cause you will be dinged even when you are right so you better have a lot of your
answers right to overcompensate!
upvoted 1 times
Mozbius_ 9 months, 2 weeks ago
Straight from the mouth of a Microsoft employee...
"Azure VNETs do not encrypt traffic between 2 VMs in the same VNET. VNET Traffic is isolated, and functions in the same way as an on-
premise VNET. If you would like to add additional encryption, then you will need to configure the VMs to send & receive encrypted data. "
So even though this is in the context of vm to vm communication in Azure....... Unless I am wrong the answer is in fact yes and that
question/answer is complete bs. A windows 2016 vm CAN encrypt network traffic!
https://social.msdn.microsoft.com/Forums/azure/en-US/9f7bd2d1-66fa-4d70-aa9a-4725e7832fe7/is-the-traffic-between-vms-inside-a-
azure-virtual-network-is-encrypted-?forum=WAVirtualMachinesVirtualNetwork
upvoted 1 times
thegreatnivram 9 months, 3 weeks ago
the question for the 3h is Can Windows 2016 encrypt network traffic... the answer is yes.
upvoted 2 times
easygo68 10 months, 1 week ago
Someone had that question?
upvoted 1 times
TTAKU 11 months, 2 weeks ago
I would say NNY.
Box 3.. just secure Windows Traffic with IPsec. it allows TCP/UDP level encryption.
upvoted 2 times
MEETMEENA 1 year ago
windows 2016 can encrypt data. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-portal-quickstart
upvoted 1 times
nzmike 12 months ago
That link looks like disk / data-at-rest encryption and not anything to do with sending over the internet.
upvoted 2 times
Sam9987611 1 year ago
Windows Server does come with a VPN client and it also supports other encryption methods such IPSec encryption or SSL/TLS so it could
encrypt the traffic if the Internet host was configured to require or accept the encryption. However, the VM could not encrypt the traffic to
an Internet host that is not configured to require the encryption.
upvoted 2 times
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #226
HOTSPOT -
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: Yes -
Azure Security Center is a unified infrastructure security management system that strengthens the security posture of your data centers, and
provides advanced threat protection across your hybrid workloads in the cloud - whether they're in Azure or not - as well as on premises.
Box 2: No -
Only two features: Continuous assessment and security recommendations, and Azure secure score, are free.
Box 3: Yes -
The advanced monitoring capabilities in Security Center also let you track and manage compliance and governance over time. The overall
compliance provides you with a measure of how much your subscriptions are compliant with policies associated with your workload.
References:
https://docs.microsoft.com/en-us/azure/security-center/security-center-intro
Wallybkk Highly Voted 1 year, 3 months ago
appeared on 21 Jun 21 exam
upvoted 10 times
Nabtah 1 year, 3 months ago
time traveler spotted
upvoted 29 times
anony1111 1 year, 3 months ago
hahaha
upvoted 1 times
Stephanyjempot 1 year, 2 months ago
HAHAHA
upvoted 2 times
Sandy666 1 year, 1 monthago
Haha Lol
upvoted 1 times
Chr1st0h1 Highly Voted 9 months, 1 weekago
Azure Security Center and Azure Defender are now called Microsoft Defender for Cloud.
upvoted 7 times
gabrisiq Most Recent 2 months, 2 weeks ago
Security Center is now Microsoft Defender, right?
upvoted 1 times
Anil7177 6 months ago
Got this on 3/13/2022
upvoted 2 times
MS_Learner 7 months, 1 week ago
Got Feb 10, 2022, Trust center is replaced with Cloud defender..watch out the verbage.
upvoted 4 times
AliD68 10 months ago
appeared 11/11/2021
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 389/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
pradzy 1 year, 1 monthago
in 31jul2021
upvoted 1 times
Shw7 1 year, 1 monthago
Appeared on 26-July-2021
upvoted 1 times
Sarahxx 1 year, 1 month ago
appeared 18th July 2021
upvoted 2 times
samaas 1 year, 2 months ago
Appeared on July 7th exam
upvoted 3 times
jovialjen 1 year, 2 months ago
in exam 7th july 2021
upvoted 2 times
iwarakorn 1 year, 2 months ago
Got in exam July02,2021
upvoted 2 times
Slawx 1 year, 3 months ago
just passed July 7th 2021, thank you exam topics :)
upvoted 4 times
A_A999 1 year, 3 months ago
wow, you're from the future???
upvoted 12 times
mathi1 1 year, 3 monthsago
Hi, I have exam on 11.06.2021 You got questions from these 230 questions only?
upvoted 3 times
FrankMorfragen 1 year, 3 months ago
how was it?
upvoted 2 times
mpooja 1 year, 3 months ago
Appeared in 05 - Jun -21 Exam
upvoted 4 times
taoj 1 year, 3 monthsago
Got it on 01 Jun 2021
upvoted 6 times
Akki16 1 year, 3 monthsago
correct
upvoted 3 times
AZ900Rocks 1 year, 3 months ago
ans are conrrect.
upvoted 2 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 390/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #227
DRAG DROP -
You need to complete the defense-in-depth strategy used in a datacenter.
What should you do? To answer, drag the appropriate layers to the correct positions in the model. Each layer may be used once, more than once, or
not at all.
You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:
Correct Answer:
Defence in depth layers (from bottom to top):
Data
-In almost all cases attackers are after data.
- Data can be in database, stored on disk inside VMs, on a SaaS application such as Office 365 or in cloud storage.
- Those storing and controlling access to data to ensures that it's properly secured
- Often regulatory requirements dictates controls & processes
-to ensure confidentiality, integrity, and availability.
Application
- Ensure applications are secure and free of vulnerabilities.
- Store sensitive application secrets in a secure storage medium.
- Make security a design requirement for all application development.
- Integrate security into the application development life cycle.
Compute
- Secure access to virtual machines.
- Implement endpoint protection and keep systems patched and current.
- Malware, unpatched systems, and improperly secured systems open your environment to attacks.
Networking
- Limit communication between resources.
- Deny by default.
- Allow only what is required
- Restrict inbound internet access and limit outbound, where appropriate.
- Implement secure connectivity to on-premises networks.
Perimeter
- Use distributed denial of service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for end users.
- Use perimeter firewalls to identify and alert on malicious attacks against your network.
Identity and access
- Control access to infrastructure and change control.
- Access granted is only what is needed
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 391/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
- Use single sign-on and multi-factor authentication.
- Audit events and changes.
Physical security
- Building security & controlling access to computing hardware.
- First line of defense.
Reference:
https://github.com/undergroundwires/Azure-in-bullet-points/blob/master/AZ-
900%20Microsoft%20Azure%20Fundamentals/4.2.%20Defence%20in%20Depth.md
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 392/598
SJ_JHA 4 months, 2 weeks ago
23.04.2022
upvoted 1 times
Krissy90 6 months ago
One of the worst diagrams I have ever seen, what does this even try to say?
upvoted 2 times
VIP_G 5 months, 3 weeks ago
IaaS, PaaS breakdown... From Physical to Compute is IaaS; App and Data = PaaS.
upvoted 3 times
usit 11 months, 2 weeks ago
Asked - 29/09/21
upvoted 4 times
Mev4953 11 months, 3 weeks ago
Correct answer
upvoted 2 times
754a 11 months, 3 weeks ago
Correct
upvoted 4 times
amine11 11 months, 3 weeks ago
did you pass the test ?
upvoted 1 times
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #228
You have an Azure virtual machine named VM1.
You plan to encrypt VM1 by using Azure Disk Encryption.
Which Azure resource must you create first?
A. an Azure Storage account
B. an Azure Key Vault
C. an Azure Information Protection policy
D. an Encryption key
Correct Answer: B
Azure Disk Encryption requires an Azure Key Vault to control and manage disk encryption keys and secrets.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-overview
Mozbius_ Highly Voted 9 months, 2 weeks ago
Damn I think I have missed that in Azure Fundamentals Learning path!
upvoted 12 times
droopydog Most Recent 5 months, 2 weeks ago
Selected Answer: B
Answer
upvoted 1 times
Menda 10 months, 1 week ago
Answer is correct
Ref: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-key-vault
upvoted 3 times
MasoudK 10 months, 1 week ago
So tricky. you need encrypt key So you can say Vault however for Disk you need Storage account which one you would do first?
upvoted 2 times
Murffeus 9 months ago
In this instance i think you already have the VM so the Storage account is already tied to the VM in question. Thus you just need a Key
Vault to move forward with encryption
upvoted 2 times
zitouniaymen 10 months, 4 weeks ago
B. an Azure Key Vault
upvoted 3 times
katrinka 11 months, 2 weeks ago
B. an Azure Key Vault
upvoted 2 times
xhkpgkfrilchupiysb 11 months, 3 weeks ago
Correct
upvoted 2 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 393/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #229
Which resources can be used as a source for a Network security group inbound security rule?
A. Service Tags only
B. IP Addresses, Service tags and Application security groups
C. Application security groups only
D.IP Addresses only
Correct Answer: B
Source or destination:
Any, or an individual IP address, classless inter-domain routing (CIDR) block (10.0.0.0/24, for example), service tag, or application security
group.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
TTAKU Highly Voted 11 months, 2 weeks ago
Correct Answer:
Network security groups are processed after Azure translates a public IP address to a private IP address for inbound traffic, and before
Azure translates a private IP address to a public IP address for outbound traffic. . Specifying a range, a service tag, or application security
group, enables you to create fewer security rules.
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview#security-rules
upvoted 20 times
atilla Most Recent 7 months, 4 weeks ago
Iam also studying for az104,
upvoted 3 times
DAN_17 6 months, 1 week ago
bravoooo
upvoted 3 times
akp1000 8 months ago
Selected Answer: B
Correct answer
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 394/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #230
HOTSPOT -
To complete the sentence, select the appropriate option in the answer area.
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook
mintyo Highly Voted 11 months, 2 weeks ago
correct answer
Playbooks are collections of procedures that can be run from Azure Sentinel in response to an alert or incident. A playbook can help
automate and orchestrate your response, and can be set to run automatically when specific alerts or incidents are generated, by being
attached to an analytics rule or an automation rule, respectively. It can also be run manually on-demand.
https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook
upvoted 11 times
csboy Most Recent 5 months, 2 weeks ago
on exam March 30, 2022
upvoted 2 times
MS_Learner 7 months, 1 week ago
Got Feb 10, 2022
upvoted 3 times
LiamAltaii 9 months ago
Answe is correct.
Off topic, this was not mentioned in learning path or did i miss it?
upvoted 2 times
easygo68 10 months, 1 weekago
Be asked in the 11.11.2021 exam!
upvoted 3 times
Vincenzo_Cassano 10 months, 4 weeks ago
on exam OCT 22, 2021
upvoted 3 times
AlaCh 11 months ago
Correct
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 395/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #231
HOTSPOT -
To complete the sentence, select the appropriate option in the answer area.
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/firewall/tutorial-firewall-dnat-policy
Georgess Highly Voted 11 months ago
If you configure network rules and application rules, then network rules are applied in priority order before application rules.
NAT rules are applied in priority before network rules.
I would go with NAT.
https://docs.microsoft.com/en-us/azure/firewall/rule-processing
upvoted 7 times
Jason71 Highly Voted 11 months ago
Got this on the 19/10/2021 exam!
upvoted 6 times
Eleftheriia Most Recent 8 months, 3 weeks ago
The following might be helpful:
"Azure Virtual Network NAT is a network address translation service running in Azure. With Azure Virtual Network NAT, you can provide
secure outbound connectivity to virtual instances in a private subnet so they can connect outside your virtual network."
upvoted 2 times
mufflon 9 months ago
Inbound traffic refers to information coming-in to a network.
The question is about incoming traffic.
https://docs.microsoft.com/en-us/azure/firewall/tutorial-firewall-dnat-policy
upvoted 2 times
Ajaykrish 9 months, 2 weeks ago
got it on 29-Nov-2021
upvoted 2 times
kruize99 9 months, 3 weeks ago
Answer is NAT. NAT takes priority before network rules for inbound traffic: https://docs.microsoft.com/en-us/azure/firewall/rule-
processing#dnat-rules-and-network-rules
upvoted 2 times
MasoudK 10 months, 1 week ago
there are two connectivity: inbound and outbound. DNAT is for filtering inbound traffic and not internet access(outbound). So I would go
for Network rule.
upvoted 4 times
MasoudK 11 months ago
Network Address Translation (NAT) rules that define destination IP addresses and ports to translate inbound requests. Question is access
from Internet to aaz resource(VM) sounds like an outbound request. I agree with Network rules
upvoted 2 times
mufflon 9 months ago
Inbound traffic refers to information coming-in to a network.
The question is about incoming traffic.
https://docs.microsoft.com/en-us/azure/firewall/tutorial-firewall-dnat-policy
upvoted 1 times
VIP_G 5 months, 2 weeks ago
Iagree. I think it is Network Rules. NAT is to keep connection internally or to have a private network connect to internet but does not
allow internal connection from the internet. NAT makes no sense here. NAT is supposed to protect internal networks from outside
connections (internet).
upvoted 1 times
TTAKU 11 months, 2 weeks ago
it should be "Network Rules",
https://docs.microsoft.com/en-us/azure/firewall/rule-processing
upvoted 3 times
Gorilla5 11 months, 2 weeks ago
I guess answer is correct. This is from website you have pasted link into"Inbound Internet connectivity can be enabled by configuring
Destination Network Address Translation (DNAT) as described in Tutorial: Filter inbound traffic with Azure Firewall DNAT using the
Azure portal. NAT rules are applied in priority before network rules"
upvoted 1 times
Mev4953 11 months, 3 weeks ago
It is answer from 194.
Perimeter
- Use distributed denial of service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for end users.
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 396/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
- Use perimeter firewalls to identify and alert on malicious attacks against your network.
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 397/598
But it doesnt match with this. According to this answer, it should be Perimeter Layer
upvoted 1 times
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #232
HOTSPOT -
To complete the sentence, select the appropriate option in the answer area.
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/ddos-protection/ddos-protection-overview
MasoudK Highly Voted 11 months ago
definitely Perimeter layer:
The perimeter layer uses distributed denial of service (DDoS) protection to filter large-scale attacks before they can cause a denial of
service for users.
The network layer limits communication between resources through segmentation and access controls. link:
https://docs.microsoft.com/en-us/learn/modules/secure-network-connectivity-azure/2-what-is-defense-in-depth
upvoted 53 times
VIP_G 5 months, 3 weeks ago
That is what I thought... I am going with Perimeter layer
upvoted 1 times
cazzobsb 4 months, 2 weeks ago
Defense-in-Depth? ---> Perimeter Layer
OSI Model? ---> Network layer
Not specifying ? ----> crappy question
upvoted 2 times
nordejulme Highly Voted 11 months ago
"The perimeter layer uses distributed denial of service (DDoS) protection to filter large-scale attacks before they can cause a denial of
service for users."
https://docs.microsoft.com/en-us/learn/modules/secure-network-connectivity-azure/2-what-is-defense-in-depth
upvoted 13 times
lazslo78 Most Recent 1 week, 3 days ago
Networking layer is correct but it can be also Application Layer..
https://azure.microsoft.com/en-us/services/ddos-protection/#faq
Use DDoS Protection service in combination with a web application firewall (WAF) for protection both at the network layer (layer 3 and 4,
offered by DDoS Protection Standard) and at the application layer (layer 7, offered by a WAF). Offerings include Application Gateway WAF
and other web application firewall apps available in Azure Marketplace.
upvoted 1 times
Dennis_SOn 4 months, 1 weekago
Customers can use Azure DDoS Protection service in combination with a Web Application Firewall (WAF) to for protection both at the
network layer (Layer 3 and 4, offered by Azure DDoS Protection Standard) and at the application layer (Layer 7, offered by a WAF)
upvoted 2 times
BShelat 5 months, 1 week ago
https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/perimeter-networks
https://docs.microsoft.com/en-us/azure/ddos-protection/ddos-protection-overview
Perimeter-networks are NOT EQUAL to perimeter layer of Azure.
Perimeter = Border
Perimeter Network is aborder of virtual network. Perimeter layer is a border of Azure. DDoS protection is applied at Perimeter networks.
It can also be allied at application layer through WAF.
Correct answer is Networking Layer.
upvoted 2 times
wawaw3213 5 months, 1 week ago
perimeter
upvoted 1 times
droopydog 5 months, 2 weeks ago
Perimeter layer
upvoted 1 times
Pims 5 months, 3 weeks ago
Answer is Perimeter
Defense in depth reviewed (official MSFT training): Perimeter layer protects your network boundaries with Azure DDOS Protection and
Azure Firewall
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 398/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
Anil7177 6 months ago
Got this on 3/13/2022
upvoted 1 times
Meyti 6 months, 1 weekago
perimete layer is correct.
source1:
https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/perimeter-networks
Source2:
https://www.azureguru.org/what-is-defense-in-depth/
upvoted 1 times
Sunnydayjtl 6 months, 3 weeks ago
in AZ900 Training: Perimeter is the correct Answer
upvoted 4 times
herspor 7 months ago
DiD layers:
Each layer can implement one or more of the CIA concerns:
1 Data Data encryption at rest in Azure Blob Storage
2 Application SSL/TLS encrypted sessions
3 Compute Regular application of OS and layered software patches
4 Network Network security rules
5 Perimeter DDoS protection
6 Identity and access Azure Active Directory user authentication
7 Physical security Azure datacenter biometric access controls
upvoted 1 times
NhojjohN 7 months ago
Do not confuse OSI Model and Defense-in-Depth
if it is on OSI it's definitely on Network
if it is on DID it's Perimeter.
Microsoft question should be more specific
upvoted 4 times
VIP_G 5 months, 3 weeks ago
Good point. I was thinking DID because we just saw it on #201. And I have not seen any mention of OSI model in any exam questions
or Microsoft Path study guides. That come in for AZ 104.
upvoted 1 times
NhojjohN 7 months ago
This should be Perimeter!
It's actually on Question #201
Perimeter
- Use distributed denial of service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for end users.
- Use perimeter firewalls to identify and alert on malicious attacks against your network.
upvoted 1 times
MS_Learner 7 months, 1 week ago
Got Feb 10, 2022, Answer is Perimeter Layer
upvoted 4 times
Pedrazini 7 months, 3 weeks ago
networking layer
https://azure.microsoft.com/en-us/pricing/details/ddos-
protection/#:~:text=DDoS%20Protection%20is%20enabled%20at,enabled%20on%20the%20Virtual%20Network.
upvoted 2 times
simnowa7 months, 4 weeks ago
Here's a brief overview of the role of each layer:
The perimeter layer uses distributed denial of service (DDoS) protection to filter large-scale attacks before they can cause a denial of
service for users.
so the answer is definitely Perimeter layer
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 399/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #233
You have an Azure Sentinel workspace.
You need to automate responses to threats detected by Azure Sentinel.
What should you use?
A. adaptive network hardening in Azure Security Center
B. Azure Service Health
C. Azure Monitor workbooks
D. adaptive application controls in Azure Security Center
Correct Answer: C
TamHas Highly Voted 7 months, 3 weeksago
This answer is correct, see statement from Microsoft site:
Once you have connected your data sources to Microsoft Sentinel, you can visualize and monitor the data using the Microsoft Sentinel
adoption of Azure Monitor Workbooks, which provides versatility in creating custom dashboards. While the Workbooks are displayed
differently in Microsoft Sentinel, it may be useful for you to see how to create interactive reports with Azure Monitor Workbooks. Microsoft
Sentinel allows you to create custom workbooks across your data, and also comes with built-in workbook templates to allow you to quickly
gain insights across your data as soon as you connect a data source.
https://docs.microsoft.com/en-us/azure/sentinel/monitor-your-data
upvoted 13 times
TheKraemer Highly Voted 8 months ago
The explanation is missing here! I don't spend money for this!!
upvoted 12 times
johnny1001 6 months, 1 weekago
oh yes you do
upvoted 13 times
HHHo Most Recent 4 months, 4 weeks ago
Got this in exam on 2022.04.18
upvoted 1 times
kwldgseeker 5 months ago
Either the answer is playbooks (which is not a provided choice) or the question itself is wrong. Workbooks does not provide for
automation. It is a visualization / reporting tool. If you still doubt, look up "automate responses to threats detected by Azure Sentinel." in
Google and you will find "Playbooks" in the results and nowhere will you find "Workbooks". I really love the spirit and intent of the site
and have respect fort the small team behind it. At the same time I have to question where these questions came from. There are far too
many discrepancies, errors and omissions to justify the asking price (which I regrettably paid as I thought my membership was for all
tests, not just the AZ-900!). Clean up the discrepancies, errors and omissions (and include more than just one test) and it will be worth the
asking price.
upvoted 6 times
Tin_Nguyen 5 months, 1 week ago
C for me
"The company will also use Azure Monitor Workbooks to automate responses to threats."
https://docs.microsoft.com/en-us/learn/modules/protect-against-security-threats-azure/3-detect-respond-threats-sentinel?ns-
enrollment-type=learningpath&ns-enrollment-id=learn.az-900-describe-general-security-network-security-features
upvoted 4 times
Contactfornitish 6 months ago
Odd one out but I would disagree with answer. Workbooks are just dashboard and takes no action themselves.
Sentinel uses playbook against known situations but playbook uses two things among others Adaptive network hardening (to reduce
attack surface) and Adaptive Application Control (to have a known safe application list & block application on suspicious behavior). Since
the Application control needs advance work, I would say surface reduction would be first choice in case of any attack. Hence A
upvoted 2 times
forestwood7 months ago
Workbook does not provide automation. So ido not agree with the answer
upvoted 3 times
blobstorage 7 months, 3 weeks ago
I think it should be Playbooks,
https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook
https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook
upvoted 6 times
nsp24 8 months ago
I think answer is correct
https://docs.microsoft.com/en-us/azure/sentinel/monitor-your-data
upvoted 2 times
Borbala 8 months, 1 week ago
Iagree -it should be Azure Logic Apps.
"Automate your common tasks and simplify security orchestration with playbooks that integrate with Azure services and your existing
tools.
Built on the foundation of Azure Logic Apps..."
https://docs.microsoft.com/en-us/azure/sentinel/overview
upvoted 2 times
nimblealliance 5 months, 1 week ago
Yes , I too think it should be Azure logic Apps :-
https://www.xenonstack.com/blog/azure-sentinel-and-its-
components#:~:text=Azure%20Sentinel%20is%20a%20SIEM,proactive%20hunting%2C%20and%20threat%20response.
Playbooks: A Playbook is a collection of procedures to execute in response to an alert trigger by Azure Sentinel. They leverage Azure
Logic Apps. So, the user can use flexibility, capability, customizability, and built-in templates of Logic Apps. To automate and
orchestrate tasks/workflows that can be ready to configure to run manually or execute automatically when specific alerts are triggered.
But it isn't available in the options lol
upvoted 1 times
Lincoln01 8 months, 2 weeks ago
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 400/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
I think these should be playbook but not seen in the options
https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook
upvoted 2 times
ajl22 8 months ago
Azure Monitor workbooks vs. Azure Sentinel playbooks is confusing, yes!
upvoted 1 times
Topic 1
Question #234
DRAG DROP -
Match the Azure services benefits to the correct descriptions.
Instructions: To answer, drag the appropriate benefit from the column on the left to its description on the right. Each benefit may be used once,
more than once, or not at all.
NOTE: Each correct match is worth one point.
Select and Place:
Correct Answer:
Box 1: Microsoft Sentinel -
Microsoft Sentinel is a scalable, cloud-native, security information and event management (SIEM) and security orchestration, automation, and
response (SOAR) solution. Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a
single solution for attack detection, threat visibility, proactive hunting, and threat response.
Box 2: Microsoft Defender for Cloud
You can find your overall secure score, as well as your score per subscription, through the Azure portal. Defender for Cloud displays your secure
score prominently in the portal.
Box 3: Azure Key Vault -
A favored approach to store the credentials or keys in the Azure Key Vault as secrets and reference the secrets as environment variables in our
Azure functions apps.
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/overview
https://docs.microsoft.com/en-us/azure/defender-for-cloud/secure-score-access-and-track https://levelup.gitconnected.com/a-secure-way-to-
use-credentials-and-secrets-in-azure-functions-7ec91813c807
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 401/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #235
Which Azure service can you use as a security information and event management (SIEM) solution?
A. Azure Analysis Services
B. Microsoft Sentinel
C. Azure Information Protection
D. Azure Cognitive Services
Correct Answer: B
Microsoft Sentinel is a scalable, cloud-native, security information and event management (SIEM) and security orchestration, automation, and
response (SOAR) solution. Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a
single solution for attack detection, threat visibility, proactive hunting, and threat response.
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/overview
Topic 1
Question #236
HOTSPOT -
Select the answer that correctly completes the sentence.
Hot Area:
Correct Answer:
Box: collection of policy definitions
An Azure Policy initiative is a collection of Azure Policy definitions, or rules, that are grouped together towards a specific goal or purpose. Azure
initiatives simplify management of your policies by grouping a set of policies together, logically, as a single item.
Reference:
https://docs.microsoft.com/en-us/azure/defender-for-cloud/security-policy-concept
Topic 1
Question #237
You have an Azure subscription.
You need to review your secure score.
What should you use?
A. Azure Monitor
B. Azure Advisor
C. Help + support
D.Microsoft Defender for Cloud
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 402/598
Correct Answer: D
The central feature in Defender for Cloud that enables you to achieve those goals is secure score.
Reference:
https://docs.microsoft.com/en-us/azure/defender-for-cloud/secure-score-security-controls
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #238
HOTSPOT -
Select the answer that correctly completes the sentence.
Hot Area:
Correct Answer:
Box: Microsoft Defender for Cloud
Lock down inbound traffic to your Azure Virtual Machines with Microsoft Defender for Cloud's just-in-time (JIT) virtual machine (VM) access
feature. This reduces exposure to attacks while providing easy access when you need to connect to a VM.
Reference:
https://docs.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-usage
GetAzure 1 week, 5 days ago
is Correct Microsoft Defender For Cloud
https://docs.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-usage?tabs=jit-config-asc%2Cjit-request-asc
upvoted 2 times
Topic 1
Question #239
HOTSPOT -
Select the answer that correctly completes the sentence.
Hot Area:
Correct Answer:
Box: Microsoft Defender for Cloud
Microsoft Defender for Cloud helps streamline the process for meeting regulatory compliance requirements, using the regulatory compliance
dashboard.
You can download PDF/CSV reports as well as certification reports of your compliance status.
Reference:
https://docs.microsoft.com/en-us/azure/defender-for-cloud/regulatory-compliance-dashboard
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 403/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #240
You need to collect and automatically analyze security events from Azure Active Directory (Azure AD).
What should you use?
A. Microsoft Sentinel
B. Azure Synapse Analytics
C. Azure AD Connect
D. Azure Key Vault
Correct Answer: A
Microsoft Sentinel is a scalable, cloud-native, security information and event management (SIEM) and security orchestration, automation, and
response (SOAR) solution.
Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for attack
detection, threat visibility, proactive hunting, and threat response.
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/overview
Topic 1
Question #241
HOTSPOT -
Select the answer that correctly completes the sentence.
Hot Area:
Correct Answer:
Box: Azure Active Directory (Azure AD)
You can enable single sign-on for an enterprise application through Azure Active Directory (Azure AD.
Incorrect:
Application security groups enable you to configure network security as a natural extension of an application's structure, allowing you to group
virtual machines and define network security policies based on those groups.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal-setup-sso
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 404/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #242
HOTSPOT -
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: No -
Azure creates the default rules in each network security group that you create. These rules allow some traffic.
Box 2: Yes -
A network security group contains zero, or as many rules as desired. These rules can refer to application security groups.
Box 3: Yes -
Azure creates the Inbound and OutBound default rules in each network security group that you create.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 405/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #243
DRAG DROP -
Match the term to the appropriate description.
To answer, drag the appropriate term from the column on the left to its description on the right. Each term may be used once, more than once, or
not at all.
NOTE: Each correct match is worth one point.
Select and Place:
Correct Answer:
CK9797 1 week, 2 days ago
Es correcto
upvoted 1 times
Drchattss 1 week, 6 days ago
Spot-on
upvoted 1 times
Topic 1
Question #244
Your company plans to automate the deployment of servers to Azure.
Your manager is concerned that you may expose administrative credentials during the deployment.
You need to recommend an Azure solution that encrypts the administrative credentials during the deployment.
What should you include in the recommendation?
A. Azure Key Vault
B. Azure Information Protection
C. Microsoft Defender for Cloud
D. Azure Multi-Factor Authentication (MFA)
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 406/598
Correct Answer: A
Azure Key Vault protects cryptographic keys, certificates (and the private keys associated with the certificates), and secrets (such as
connection strings and passwords) in the cloud.
Reference:
https://docs.microsoft.com/en-us/azure/key-vault/general/security-features
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #245
HOTSPOT -
Select the answer that correctly completes the sentence.
Hot Area:
Correct Answer:
Box: network Security group (NSG)
You can use an Azure network security group to filter network traffic to and from Azure resources in an Azure virtual network. A network
security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure
resources. For each rule, you can specify source and destination, port, and protocol.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 407/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #246
HOTSPOT -
Select the answer that correctly completes the sentence.
Hot Area:
Correct Answer:
Box: networking layer -
DDoS Protection defends against a comprehensive set of network layer (layer 3/4) attacks.
Reference:
https://azure.microsoft.com/en-us/services/ddos-protection
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 408/598
ruank 1 day, 4 hours ago
Perimeter Layer as per MS AZ-900 training
upvoted 1 times
lazslo78 1 week, 3 days ago
I would say application and networking layer:
https://azure.microsoft.com/en-us/services/ddos-protection/#faq
If you scroll down :
What about protection at the service layer (layer 7)?
Use DDoS Protection service in combination with a web application firewall (WAF) for protection both at the network layer (layer 3 and 4,
offered by DDoS Protection Standard) and at the application layer (layer 7, offered by a WAF). Offerings include Application Gateway WAF
and other web application firewall apps available in Azure Marketplace.
OSI model network layer 3 and application layer 7
upvoted 1 times
GetAzure 1 week, 5 days ago
is correct Perimeter layer
upvoted 4 times
Drchattss 1 week, 6 days ago
Perimeter layer
upvoted 4 times
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #247
HOTSPOT -
Select the answer that correctly completes the sentence.
Hot Area:
Correct Answer:
Box: automatically respond to threats
Playbooks are collections of procedures that can be run from Microsoft Sentinel in response to an alert or incident. A playbook can help
automate and orchestrate your response, and can be set to run automatically when specific alerts or incidents are generated, by being attached
to an analytics rule or an automation rule, respectively.
Note: Automation rules help you triage incidents in Microsoft Sentinel. You can use them to automatically assign incidents to the right
personnel, close noisy incidents or known false positives, change their severity, and add tags. They are also the mechanism by which you can
run playbooks in response to incidents.
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 409/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #248
You need to configure an Azure solution that meets the following requirements:
Secures websites from attacks
Generates reports that contain details of attempted attacks
What should you include in the solution?
A. Azure Firewall
B. a network security group (NSG)
C. Azure Information Protection
D.DDoS protection
Correct Answer: D
DDoS is a type of attack that tries to exhaust application resources. The goal is to affect the application's availability and its ability to handle
legitimate requests.
DDoS attacks can be targeted at any endpoint that is publicly reachable through the internet.
Azure has two DDoS service offerings that provide protection from network attacks: DDoS Protection Basic and DDoS Protection Standard.
DDoS Basic protection is integrated into the Azure platform by default and at no extra cost.
You have the option of paying for DDoS Standard. It has several advantages over the basic service, including logging, alerting, and telemetry.
DDoS Standard can generate reports that contain details of attempted attacks as required in this question.
Reference:
https://docs.microsoft.com/en-us/azure/security/fundamentals/ddos-best-practices
Ragijo Highly Voted 2 years, 10 months ago
Azure Firewall doesn't protect from attacks, only filter traffic at layer 3 and layer 7, so DDoS is the correct answer.
upvoted 93 times
GaneshSneha 2 years, 7 months ago
Thanks!!
upvoted 2 times
Jay_azure Highly Voted 1 year, 11 months ago
Attack is the Key word for DDOS.
Rules is keyword for Firewall.
Allow/Deny is the Keyword for NSG
upvoted 92 times
arpi2910 10 months, 3 weeks ago
Thanks I had confusion with Firewall and NSG
upvoted 2 times
luiz 1 year, 7 monthsago
very good tip
upvoted 3 times
Mozbius_ 9 months, 3 weeks ago
Firewall and NSG BOTH Allow/Deny. The difference between them is (mainly among other things) :
FIREWALL = acts as a defence in depth PERIMETER (OUTSIDE the virtual network) filter = between a virtual network and the outside
world
NSG : acts as a defence in depth NETWORK/SUBNET (INSIDE/WITHIN the virtual network filter) = at the resources level
Please correct me if Iam wrong.
https://docs.microsoft.com/en-us/learn/modules/secure-network-connectivity-azure/
upvoted 10 times
Lanka22 Most Recent 22 hours, 23 minutes ago
Selected Answer: D
DD0S=attack
upvoted 1 times
mikep1 8 months, 3 weeks ago
Selected Answer: D
DD0S=attack
upvoted 1 times
AnNguyen88 8 months, 4 weeks ago
The answer correct is D(DDoS attack)
upvoted 1 times
Jam1007 9 months, 2 weeks ago
DDoS protection is correct
upvoted 1 times
Nouvelle_France 10 months ago
The correct answer is D. As per the following link "https://docs.microsoft.com/en-us/azure/ddos-protection/ddos-protection-overview",
we can see that the chart states that DDoS supports 'Mitigation reports'. Furthermore, for those we do not know the definition of
DDoS, the first line of this link states: 'A DDoS attack attempts to exhaust an application's resources, making the application unavailable
to legitimate users."
upvoted 2 times
Azuni 10 months ago
Ido understand how this answer came to be but isn't DDoS automatically enabled on Azure? Would like to know what you guys think. I
will accept the answer provided, but the above-mentioned point was bugging me.
upvoted 1 times
minimei 10 months, 2 weeks ago
Got this in 5/11/21 exam
upvoted 4 times
raulek 1 year ago
Imo it should be AD, because it is not specified in question what kind of attack it is. And FW by closing unused ports will increase security
as well. It is not specified how this web app is running. On VM? As a service?
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 410/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
upvoted 4 times
type_12 1 year, 6 months ago
Dis correct
upvoted 1 times
Amchi 1 year, 7 months ago
DDoS protection is correct answer
upvoted 2 times
mateo2121 1 year, 7 monthsago
Think the same, D answer is correct.
Why?
https://docs.microsoft.com/en-us/azure/ddos-protection/ddos-protection-overview
https://docs.microsoft.com/en-us/azure/ddos-protection/diagnostic-logging?tabs=DDoSProtectionNotifications
upvoted 1 times
FrontPageFreebirds 1 year, 8 months ago
Why in comment you guys always confuse???
upvoted 6 times
cybnick 1 year, 8 months ago
I was 50/50 between A and D, I chose A
upvoted 2 times
Gwak 1 year, 9 months ago
The Keywords is "Generates reports". so, the most suitable answer is D.
upvoted 2 times
jpush 1 year, 9 months ago
ANS IS A
WAF protects you cross site scripting and malicious attack. you can place it in front of your web application/server. its a preventing
security tool.
ddos is a form a threat it is not a preventive tool
upvoted 1 times
theRunner1 year, 11 months ago
It's important to remember that Azure firewall provide protection for non-HTTPS traffic. If your website is public facing, you should have
HTTPS enabled, which means that DDos, along with WAF, will be used to secure your website
upvoted 4 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 411/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #249
HOTSPOT -
You plan to implement several security services for an Azure environment. You need to identify which Azure services must be used to meet the
following security requirements:
Monitor threats by using sensors
Enforce Azure Multi-Factor Authentication (MFA) based on a condition
Which Azure service should you identify for each requirement? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1:
To monitor threats by using sensors, you would use Azure Advanced Threat Protection (ATP).
Azure Advanced Threat Protection (ATP) is a cloud-based security solution that leverages your on-premises Active Directory signals to identify,
detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
Sensors are software packages you install on your servers to upload information to Azure ATP.
Box 2:
To enforce MFA based on a condition, you would use Azure Active Directory Identity Protection.
Azure AD Identity Protection helps you manage the roll-out of Azure Multi-Factor Authentication (MFA) registration by configuring a Conditional
Access policy to require MFA registration no matter what modern authentication app you are signing in to.
References:
https://docs.microsoft.com/en-us/azure-advanced-threat-protection/what-is-atp https://docs.microsoft.com/en-us/azure/active-
directory/identity-protection/howto-identity-protection-configure-mfa-policy
fgrion Highly Voted 1 year, 3 months ago
guys, can you please comment only if you think an answer is wrong and why? reading 20 comments of people saying correct doesn't help
at all and you always open it. let's put the comments to the minimum pls
upvoted 93 times
sfngwjkgsngeghjnke 1 year, 3 months ago
Correct answer
upvoted 13 times
sas12321 1 year, 1 month ago
correct answer!!
upvoted 13 times
Jem12124321423 10 months, 2 weeks ago
Seeing something is correct helps too
upvoted 13 times
success101 Highly Voted 2 years,8 months ago
Both are correct.
Sources:
1. https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-architecture
2. https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection
upvoted 40 times
Contactfornitish Most Recent 6 months ago
Second one is INCORRECT.
Identity protection does provide the info if something is risky or suspicious but alone it doesn't has anything to enforce. Conditional
Access use that signal but conditional acces itself fall under Azure Security Center and NOT Identity Protection.
Saying to after managing conditional access policies for years
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection
upvoted 2 times
AZ_Guru_Wannabe 8 months, 3 weeks ago
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 412/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
FYI - apparently ATP has been renamed "Microsoft Defender for Identity" - no idea if the term on the exam has been changed, but be
aware
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 413/598
"Microsoft Defender for Identity (formerly Azure Advanced Threat Protection, also known as Azure ATP)"
https://docs.microsoft.com/en-us/defender-for-identity/what-is
upvoted 11 times
AnNguyen88 8 months, 4 weeks ago
Keywords are Threat Protection and MFA
upvoted 2 times
Dhsh 9 months, 1 week ago
It's correct
upvoted 1 times
FrankBelo9 months, 2 weeks ago
correct answer!!
upvoted 1 times
giraffe 10 months ago
The answer displayed is correct
upvoted 1 times
easygo68 10 months, 1 weekago
Be asked in the 11.11.2021 exam!
upvoted 1 times
Camus_ 10 months, 2 weeks ago
CORRECT
upvoted 1 times
RISHI_009 1 year, 1 month ago
correct
upvoted 1 times
Gerardo1971 1 year, 4 months ago
Correct answer
upvoted 1 times
soumya_ 1 year, 5 months ago
what is the difference between security center and AATP? both says threat protection... confused...
upvoted 2 times
Acredser 1 year, 6 months ago
"Microsoft Defender for Identity (formerly Azure Advanced Threat Protection, also known as Azure ATP) is a cloud-based security solution
that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and
malicious insider actions directed at your organization."
--
The questions does not mention anything about "on-premise"?
upvoted 3 times
panal 1 year, 6 months ago
correct
upvoted 1 times
mikl 1 year, 7 months ago Keywords
are "Threat" and "MFA" upvoted 4
times
Kiano 1 year, 8 monthsago
Isnt´it so that you enforce MFA through Conditional Access, which is under Azure Security Center?
upvoted 4 times
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #250
Your Azure environment contains multiple Azure virtual machines.
You need to ensure that a virtual machine named VM1 is accessible from the Internet over HTTP.
What are two possible solutions? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. Modify an Azure Traffic Manager profile
B. Modify a network security group (NSG)
C. Modify a DDoS protection plan
D. Modify an Azure firewall
Correct Answer: B
A network security group works like a firewall. You can attach a network security group to a virtual network and/or individual subnets within the
virtual network.
You can also attach a network security group to a network interface assigned to a virtual machine. You can use multiple network security
groups within a virtual network to restrict traffic between resources such as virtual machines and subnets.
You can filter network traffic to and from Azure resources in an Azure virtual network with a network security group. A network security group
contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.
In this question, we need to add a rule to the network security group to allow the connection to the virtual machine on port 80 (HTTP).
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
hgx32983 Highly Voted 1 year, 9 months ago
Question saying there should be 2 answer, not just one as given in the solution.
Should be B (NSG) and D (Firewall)
upvoted 306 times
CyberAmit Highly Voted 1 year, 9 months ago
B+D are the correct answers
upvoted 71 times
chikkz 1 year ago
Correct
upvoted 2 times
Lanka22 Most Recent 22 hours, 20 minutes ago
Should be B (NSG) and D (Firewall)
upvoted 1 times
joaopellissari 3 weeks, 3 days ago
Selected Answer: B
Band D
upvoted 1 times
soyoko 2 months, 3 weeks ago
To ensure that a virtual machine named VM1 is accessible from the Internet over HTTP, you need to modify a network security group or
Azure Firewall.
B & D are correct answers.
upvoted 1 times
EmmaW 3 months, 1 week ago
BD, NSG and Firewall
upvoted 1 times
ITLearningalways 3 months, 1 week ago
The answer should be B (NSG} and D (Firewall) it is looking for 2 possible solutions.
upvoted 1 times
cri88 3 months, 4 weeks ago
Selected Answer: B
B & D is correct
upvoted 4 times
bulichich 3 months, 4 weeks ago
Selected Answer: D
Band Dare the correct answers
upvoted 4 times
certstudent2016 4 months, 3 weeks ago
B & D correct
Got this on exam....pass with 928
upvoted 6 times
HHHo 4 months,4 weeks ago
Got this in exam on 2022.04.18
upvoted 2 times
Zoe_GR 6 months ago
Yes, B & D indeed
upvoted 3 times
kikinho_jaen 6 months, 4 weeks ago
B D are the correct
upvoted 3 times
AnnSoftEng 7 months, 2 weeks ago
B & D is correct
upvoted 1 times
DeepakR 7 months, 3 weeks ago
Band D both are correct
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 414/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
mikep1 8 months, 4 weeks ago
Of course: B + D
upvoted 3 times
clozano 9 months ago
B, D son las respuestas correcta
upvoted 3 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 415/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #251
HOTSPOT -
To complete the sentence, select the appropriate option in the answer area.
Hot Area:
Correct Answer:
The just-in-time (JIT) virtual machine (VM) access feature in Azure Security Center allows you to lock down inbound traffic to your Azure Virtual
Machines. This reduces exposure to attacks while providing easy access when you need to connect to a VM.
Reference:
https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time?tabs=jit-config-asc%2Cjit-request-asc
Trafik255 Highly Voted 6 months,1 weekago
Got this today 3/9/2022. The answer now is Microsoft Defender and that's what showed on the exam just FYI
upvoted 26 times
taoj Highly Voted 1 year, 3 monthsago
Got it on 01 Jun 2021
upvoted 11 times
GetAzure Most Recent 1 week, 5 days ago
is Correct Microsoft Defender for Cloud
upvoted 1 times
arthas989 3 months, 2 weeks ago
Got it on 28 MAY 2022
upvoted 3 times
certstudent2016 4 months, 3 weeks ago
Got this in exam today... correct answer is Microsoft Defender for Cloud which is anew name for Azure Security Center
Pass with 928
upvoted 6 times
RuthieBee 2 months, 2 weeks ago
congrats! Thats a great score. May i ask you if you have used other resources than examtopics to prep for exam? Examtopics is super
helpful - i used it a lot for DP-900 exam and passed. I would also like to broaden my chances if there is smth else out there... Thank you
in advance!
upvoted 2 times
HHHo 4 months,4 weeks ago
Got this in exam on 2022.04.18
upvoted 1 times
Meyti 6 months, 1 week ago
Dis correct.
"Azure Security Center and Azure Defender are now called Microsoft Defender for Cloud. "
"Enable JIT on your VMs - You can enable JIT with your own custom options for one or more VMs using Defender for Cloud, PowerShell, or
the REST API. Alternatively, you can enable JIT with default, hard-coded parameters, from Azure virtual machines. When enabled, JIT locks
down inbound traffic to your Azure VMs by creating a rule in your network security group."
https://docs.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-usage?tabs=jit-config-asc%2Cjit-request-asc
upvoted 4 times
ostralo 8 months ago
FYI Azure Security Center and Azure Defender are now called Microsoft Defender for Cloud. We've also renamed Azure Defender plans to
Microsoft Defender plans. For example, Azure Defender for Storage is now Microsoft Defender for Storage. Learn more about the recent
renaming of Microsoft security services.
https://docs.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-overview
upvoted 4 times
bratukham 8 months, 2 weeks ago
It's B -> Azure Firewall which is Microsoft Defender right now
upvoted 2 times
Ka1Nn 9 months ago
Got i 14/12/2021
upvoted 1 times
Ajaykrish 9 months, 2 weeks ago
got it on 29-Nov-2021
upvoted 1 times
webmaker 9 months, 3 weeks ago
got it on nov 26, 2021
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 416/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
RichC 9 months, 3 weeks ago
appear 26 Nov
upvoted 1 times
Azuni 9 months, 3 weeks ago
Igot this question in the exam 22/11/2021
upvoted 1 times
cristina22 9 months, 4 weeks ago
Lock down inbound traffic to your Azure Virtual Machines with Microsoft Defender for Cloud's just-in-time (JIT) virtual machine (VM)
access feature. This reduces exposure to attacks while providing easy access when you need to connect to a VM.
upvoted 2 times
toobig4u 10 months ago
Got this question but with a different answer. The new correct answer is "Microsoft Defender".
upvoted 5 times
Algasibiur 10 months, 1 week ago
It's correct. But it's not more Azure Security Center.
Azure Security Center and Azure Defender are now called Microsoft Defender for Cloud. We've also renamed Azure Defender plans to
Microsoft Defender plans. For example, Azure Defender for Storage is now Microsoft Defender for Storage.
Source: https://docs.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-usage?tabs=jit-config-asc%2Cjit-request-asc
upvoted 5 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 417/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #252
HOTSPOT -
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
hercu Highly Voted 1 year, 6 months ago
Box 2 is Correct! - No!
All of you guys saying that a Network Security Group (NSG) can be associated to a virtual network should be banned on taking this exam
as you just misguide others. Please make some research before you decide to leave some worthless comment.
“You can associate zero, or one, network security group to each virtual network subnet and network interface in a virtual machine. The
same network security group can be associated to as many subnets and network interfaces as you choose.”
References: https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
Note: It clearly says it must be either a subnet (not a virtual network) or a NIC.
upvoted 149 times
sandeepck 1 year, 2 months ago
@hercu is correct : YES, NO, YES
upvoted 8 times
TexTheDog 1 year, 4 months ago
You're absolutely incorrect.
it is YES YES YES
NSG can be attached to virtual network.
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
upvoted 7 times
Saravana12g 1 year, 3 months ago
Create a NSG in Azure Portal and you can see that you can attach it to only - Subnet and NIC. There's no VNET present in the Blade.
upvoted 10 times
rajkfx1 1 year, 1 monthago
I just tried, when we click on subnet and associate NSG, there we can see both Virtual Network and subnet. so the answer should
be YYY
upvoted 6 times
Dev_56 1 year, 1 monthago
That's for the subnet only.You first select the virtual network in which subnet resides. NSG cannot be associated with Virtual
Network
upvoted 3 times
ricerocket 1 year, 4 months ago
read here and answer from #140, nsg can be attached to virtual network.
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
upvoted 6 times
mentedis 1 year, 3 months ago
The second option is NO
"You can associate zero, or one, network security group to each virtual network subnet and network interface in a virtual machine.
The same network security group can be associated to as many subnets and network interfaces as you choose."
Source: https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
upvoted 4 times
VIP_G 5 months, 4 weeks ago
Furthermore, I took the AWS exam which is similar concepts, and over there it is the same... you can create Security Groups
(instance level) and NACL (subnet level) in a VPC. VPC is their version of VNET. both Security Groups and NACL act as firewalls
much like NSG. So the 2nd point is NO. You cannot attach an NSG to VNET but you can protect the VNET via NSG by attaching it to
NIC or Subnet.
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 418/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
VIP_G 5 months, 4 weeks ago
Thank you for posting this. It appears that yes you can filter traffic in/out of VNET but via subnet and NIC level with NSG. If you
look at the source posted by @mentedis it states how it all works. The NSG is configured at subnet and NIC level.
upvoted 1 times
theManFromRoom5 6 months ago
Haha "All of you guys saying that a Network Security Group (NSG) can be associated to a virtual network should be banned on taking
this exam". Great approach, ban everyone who gets a question wrong
upvoted 10 times
[Removed] Highly Voted 1 year, 6 months ago
should be all Yes. You can use an Azure network security group to filter network traffic to and from Azure resources in an Azure virtual
network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from,
several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.
upvoted 16 times
Th3Gh05T Most Recent 1 month,1 weekago
You can only attache NSG to subnet or Network interface.
" You can associate zero, or one, network security group to each virtual network subnet and network interface in a virtual machine. The
same network security group can be associated to as many subnets and network interfaces as you choose."
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
upvoted 2 times
madcloud 2 months, 1 week ago
some comments are missing The logic here. Assigning NSG to vnet cannot be done without specifying a subnet. Yes you will need to select
a VNET but then you need to select a subnet. I am saying logic is missing here because eventually if you have two subnets in one VNET,
attaching NSG will be done to only one of them, not to both (incase you are thinking of assigning the NSG to VNET) . The mentioned
answer is correct YNY
upvoted 1 times
TiltedPlanet 2 months, 1 week ago
All three are yes.
You can associate zero, or one, network security group to each virtual network subnet and network interface in a virtual machine. The
same network security group can be associated to as many subnets and network interfaces as you choose.
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
upvoted 1 times
raul4real73 3 months ago
i tested it and the answer is correct YNY. You cannot associate a nsg to virtual network.
upvoted 4 times
bivixa2510 3 months, 2 weeks ago
Box 2 is Correct! - No!
upvoted 1 times
day920g 3 months, 3 weeks ago
its correct answer
upvoted 1 times
kutvaprm 3 months, 3 weeks ago
The answer in Box 2 is Correct - No !In order to prove that, click on Dashboard of Azure Portal, Network Security Group, click on Overview,
check the
Associated with:
0 subnets, 0 network interfaces
upvoted 1 times
mehasi 4 months, 4 weeks ago
YNY
You can associate zero, or one, network security group to each virtual network subnet and network interface in a virtual machine. The
same network security group can be associated to as many subnets and network interfaces as you choose.
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
upvoted 1 times
Habs 5 months, 1 weekago
Was on exam 10/04/2022
upvoted 4 times
sivva 5 months, 2 weeks ago
Answer is YYY.
Rightly and transparently mentioned in 1st line.
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
upvoted 1 times
BabuMaddineni 5 months, 3 weeks ago
Yes, NO, Yes.
You can deploy resources from several Azure services into an Azure virtual network. For a complete list, see Services that can be deployed
into a virtual network. You can associate zero, or one, network security group to each virtual network subnet and network interface in a
virtual machine. The same network security group can be associated to as many subnets and network interfaces as you choose.
upvoted 1 times
tacobear 6 months ago
it was on exam on 03/12/2022.
upvoted 2 times
CEAUSESCU247 3 months, 3 weeks ago
MERRY CHRISTMAS!! lol its only May 2022!
upvoted 1 times
rrcool 6 months, 2 weeks ago
Was on exam 26/02/2022
upvoted 1 times
smoothAzure 7 months, 2 weeks ago
so confusing
upvoted 1 times
PreethiP 7 months, 3 weeks ago
Microsoft Defender - Azure Security Center
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 419/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #253
You have an Azure environment that contains 10 virtual networks and 100 virtual machines.
You need to limit the amount of inbound traffic to all the Azure virtual networks.
What should you create?
A. one application security group (ASG)
B. 10 virtual network gateways
C. 10 Azure ExpressRoute circuits
D. one Azure firewall
Correct Answer: D
You can restrict traffic to multiple virtual networks with a single Azure firewall.
Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It's a fully stateful
firewall as a service with built-in high availability and unrestricted cloud scalability.
You can centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks. Azure
Firewall uses a static public IP address for your virtual network resources allowing outside firewalls to identify traffic originating from your
virtual network.
References:
https://docs.microsoft.com/en-us/azure/firewall/overview
Ragijo Highly Voted 2 years, 10 months ago
NSG just block or open a port, Azure Firewall can "limit the amount of traffic", because it's a stateful firewall. So the answer is Azure
Firewall (
upvoted 146 times
Examinicus Highly Voted 2 years, 6 monthsago
Both NSG and Firewall can perform this function. I believe the key is in the number of virtual networks involved. You will use an NSG for a
single VN and a Firewall for multiple.
upvoted 21 times
Kashan_Ali 2 years, 1 month ago
Exactly, when I read that I need to protect them all then I have selected "Azure Firewall".
upvoted 2 times
ultraOriginalVillain 2 years, 5 months ago
Yes! NSGs need to be created 10 times for all 10 VNets. Firewall can be applied to a resource group, etc. etc. AT ONCE, selecting all of
them together. Imagine you had 1,000 VNets as well !
upvoted 5 times
Jovial 2 years, 2 months ago
Yes , and another thing is the cost . the cost of peering between 10 Vnet is going to be huge compared to cost of Azure Firewall.
upvoted 1 times
braqa Most Recent 4 months, 3 weeks ago
This question was on test.
upvoted 2 times
Azuni 9 months, 3 weeks ago
Igot this question in the exam 22/11/2021
upvoted 1 times
MayankC 9 months, 3 weeks ago
Got this one on 22-Nov-2021
upvoted 1 times
Gerardo1971 1 year, 4 months ago
Correct answer
upvoted 1 times
Kavitw 1 year, 4 months ago
correct
upvoted 1 times
studyali114 1 year, 5 months ago
aZURE fIREWALL
upvoted 1 times
kongf 1 year, 6 months ago
Control inbound traffic in VM via == Firewall , while control Outgoing traffic in VM via = Gateway
upvoted 4 times
sams 1 year, 6 months ago
hi All,
Ihad this for my exam last week fyi
upvoted 6 times
panal 1 year, 7 months ago
Azure Firewall
upvoted 1 times
Sud10 1 year, 9 months ago
A network security group enables you to filter network traffic to and from Azure resources within an Azure virtual network. You can think
of NSGs like an internal firewall.
https://docs.microsoft.com/en-us/learn/modules/secure-network-connectivity-azure/5-filter-traffic-network-security-groups
D should be the correct answer
upvoted 3 times
rickdme 1 year, 9 months ago
Read carefully. It's the aggregate traffic.
upvoted 2 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 420/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
sreekarv 1 year, 9 months ago
Azure firewall works before the request gets to the virtual network. NSGs allow you to filter network traffic to and from Azure resources in
an Azure virtual network.
upvoted 2 times
KateS 1 year, 9 monthsago
Agree. Azure firewall works for the virtual network. NSGs works for subnet and Network interface in a Vnet.
upvoted 1 times
Alex_22 1 year, 10 months ago
NSG is to allow or block traffic from a certain port.
upvoted 1 times
AhmedReda 1 year, 11 months ago
NSG for sure check the faq.
https://docs.microsoft.com/en-us/azure/firewall/firewall-faq
Search for : Network security groups provide distributed network layer traffic filtering to limit traffic to resources within virtual networks
upvoted 1 times
toto74500 1 year, 11 months ago
Limit "Amount" of inbound traffic in the question, not" limit traffic "
upvoted 1 times
KirruG 2 years ago
D
is answer
upvoted 2 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 421/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #254
This question requires that you evaluate the underlined text to determine if it is correct.
Azure Key Vault is used to store secrets for Azure Active Directory (Azure AD) user accounts.
Instructions: Review the underlined text. If it makes the statement correct, select `No change is needed`. If the statement is incorrect, select the
answer choice that makes the statement correct.
A. No change is needed
B. Azure Active Directory (Azure AD) administrative accounts
C. Personally Identifiable Information (PII)
D. server applications
Correct Answer: D
Key Vault is designed to store configuration secrets for server apps. It's not intended for storing data belonging to your app's users, and it
shouldn't be used in the client-side part of an app.
Reference:
https://docs.microsoft.com/en-us/learn/modules/manage-secrets-with-azure-key-vault/2-what-is-key-vault https://docs.microsoft.com/en-
us/azure/key-vault/key-vault-overview https://docs.microsoft.com/en-us/learn/modules/manage-secrets-with-azure-key-vault/
Moon Highly Voted 2 years, 9 months agoI
would go with "D". Server Applications.
upvoted 109 times
SimonR2 1 year, 5 months ago
Agreed, you can store connection strings within azure vault rather than within the app itself. This greatly improved security!
upvoted 1 times
shashu07 1 year, 10 months ago
Answer A, as per attached Microsoft Article
function that connects to an Azure Key Vault using Azure Active Directory authentication, and then uses a secret stored in the vault to
query a remote service.
// Create a Key Vault client with an Active Directory authentication callback
var keyVault = new KeyVaultClient(async (string authority, string resource, string scope) => {
var authContext = new AuthenticationContext(authority);
var credential = new ClientCredential(adClientId, adKey);
var token = await authContext.AcquireTokenAsync(resource, credential);
return token.AccessToken;
https://devblogs.microsoft.com/dotnet/storing-and-using-secrets-in-azure/
upvoted 11 times
CaracasCCS 1 year, 7 monthsago
No! > The Secret you will always create it to give it to an Application that needs to use Azure Authentication.. so the app will show
the tocket to Azure and Azure will let it in.
upvoted 4 times
MCLC2021 1 year, 3 months ago
I think that underlined text in the phrase is: "...Azure Active Directory (Azure AD) user accounts."
so if you read the "Important" section in the link https://docs.microsoft.com/en-us/learn/modules/manage-secrets-with-azure-key-
vault/2-what-is-key-vault
You can read: "Key Vault is designed to store configuration secrets for server apps."
upvoted 19 times
Tolulee 2 years, 4 months ago
Azure Key Vault enables Microsoft Azure applications and users to store and use several types of secret/key data:
Both application and users. A is correct
upvoted 16 times
ConaxLearn 2 years, 1 monthago
Users <> User Accounts.
upvoted 3 times
M_Abuzaid 1 year, 4 months ago
i'm totally agree with you, it's for any types of secret/key data
upvoted 1 times
cetag37681 Highly Voted 2 years, 7 monthsago
D - Should be the answer. Why would Vault be used to store (Azure AD) user accounts but not (Azure AD) admin accounts? makes no
sense.
upvoted 16 times
dv1 2 years, 7 months ago
Cause there is no AAD "administrator account". Only AAD user (aka member) account with administrative roles (e.g. global
administrator)
upvoted 5 times
idioteque Most Recent 1 month,3 weeksago
Selected Answer: A
I would go with A since it's the keyword in question "secret" would most likely relate to "keys" to unlock the secret. So the answer would
be A. :)
upvoted 1 times
tymorg 1 month,3 weeks ago
Azure Key Vault is a cloud service that provides a secure store for secrets. You can securely store keys, passwords, certificates, and other
secrets. Azure key vaults may be created and managed through the Azure portal. In this quickstart, you create a key vault, then use it to
store a secret
https://docs.microsoft.com/en-us/azure/key-vault/secrets/quick-create-portal
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 422/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
stella_mah 1 month, 4 weeks ago
“Azure Key Vault is used to store secrets for server applications”
upvoted 1 times
_your__fear_2 months ago
Selected Answer: C
cccccccc
upvoted 1 times
GoldBear 2 months, 1 weekago
Ihope this one is not on my exam since there is no clear choice between A or D. I think A is the correct choice since a user may be another
application that need to gain access.
upvoted 1 times
b0nb0n1001 2 months, 2 weeks ago
Key Vault is designed to store configuration secrets for server apps. It's not intended for storing data belonging to your app's users, and it
shouldn't be used in the client-side part of an app. This is reflected in its performance characteristics, API, and cost model.
https://docs.microsoft.com/en-us/learn/modules/manage-secrets-with-azure-key-vault/2-what-is-key-vault
upvoted 2 times
liza1234 2 months, 2 weeks ago
AD is not the use case for Key vault but Server Applications.
upvoted 1 times
nikosd9 2 months, 2 weeks ago
What is the purpose of selecting "server applications"? You never store credentials in server applications! This doesn't make any sense.
Key Vault should be the correct either. Maybe the 2nd option?
upvoted 1 times
nikosd9 2 months, 2 weeks ago
"Key Vault should NOT be the correct either."
upvoted 1 times
silviogremio 2 months, 3 weeks ago
Selected Answer: D
The main idea about Key Vault is store certificates, secrets etc. is not letter A because the main idea in Azure AD storing is using Tokens.
Tokens are used by KV.
upvoted 2 times
rqFamily 2 months,3 weeks ago
Selected Answer: A
https://docs.microsoft.com/en-us/azure/key-vault/general/security-features
Authentication with Key Vault works in conjunction with Azure Active Directory (Azure AD), which is responsible for authenticating the
identity of any given security principal.
upvoted 1 times
rqFamily 2 months, 3 weeks ago
answer is A:
Authentication with Key Vault works in conjunction with Azure Active Directory (Azure AD), which is responsible for authenticating the
identity of any given security principal.
doc: https://docs.microsoft.com/en-us/azure/key-vault/general/security-features
upvoted 1 times
BizComDev 3 months ago
What is the answer the test is looking for, regardless of what we think might be right or wrong? I don't understand how two answers
(when only allowed a single choice in the exam) could both be correct, or both labelled "Most Voted." Makes exam prep more difficult as it
seems a lot of answers shown are correct are incorrect. Is anyone at Exam Topics checking this information? So which is correct. I chose
"A" but it seems there is a tie with "D".
upvoted 1 times
gabrisiq 3 months ago
"Authentication with Key Vault works in conjunction with Azure Active Directory (Azure AD), which is responsible for authenticating the
identity of any given security principal.
A security principal is an object that represents a user, group, service, or application that's requesting access to Azure resources. Azure
assigns a unique object ID to every security principal."
Source: https://docs.microsoft.com/en-us/azure/key-vault/general/authentication
upvoted 1 times
gabrisiq 3 months ago
So, it's A.
upvoted 1 times
raul4real73 3 months ago
Selected Answer: A
answer is D; there is a dedicated database for storing Azure Active Directory (Azure AD) user accounts.
upvoted 1 times
wfrf92 3 months, 2 weeks ago
The answer is D.
upvoted 2 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 423/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #255
Your company plans to automate the deployment of servers to Azure.
Your manager is concerned that you may expose administrative credentials during the deployment.
You need to recommend an Azure solution that encrypts the administrative credentials during the deployment.
What should you include in the recommendation?
A. Azure Key Vault
B. Azure Information Protection
C. Azure Security Center
D. Azure Multi-Factor Authentication (MFA)
Correct Answer: A
Azure Key Vault is a secure store for storage various types of sensitive information. In this question, we would store the administrative
credentials in the Key Vault.
With this solution, there is no need to store the administrative credentials as plain text in the deployment scripts.
All information stored in the Key Vault is encrypted.
Azure Key Vault can be used to Securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets.
Secrets and keys are safeguarded by Azure, using industry-standard algorithms, key lengths, and hardware security modules (HSMs). The HSMs
used are
Federal Information Processing Standards (FIPS) 140-2 Level 2 validated.
Access to a key vault requires proper authentication and authorization before a caller (user or application) can get access. Authentication
establishes the identity of the caller, while authorization determines the operations that they are allowed to perform.
References:
https://docs.microsoft.com/en-us/azure/key-vault/key-vault-overview
RSMCT2011 Highly Voted 2 years, 8 months ago
A
Use Azure Key Vault to encrypt keys and small secrets like passwords that use keys stored in hardware security modules (HSMs).
https://azure.microsoft.com/en-us/services/key-vault/
upvoted 35 times
foreverlearner Highly Voted 2 years, 4 months ago
Question is about protecting credential during an automated deployment (e.g. not typing password in clear text in a JSON template or
PS script), not protecting information inside documents (or logins).
Azure Key Vault is the only correct answer for this scenario
upvoted 22 times
wfrf92 Most Recent 3 months, 2 weeks ago
The answer is A.
Azure Key Vault can encrypt the passwords.
upvoted 2 times
diogoweb 1 year ago
Got it on 06-09-2021
upvoted 2 times
iwarakorn 1 year, 2 months ago
Got in exam July02,2021
upvoted 1 times
Lipseal 1 year, 4 months ago
Igot this in my exam (May 2021)
upvoted 3 times
Gerardo1971 1 year, 4 months ago
Correct answer
upvoted 1 times
mikl 1 year, 7 months ago
Ais correct.
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/key-vault-parameter?tabs=azure-cli
upvoted 2 times
MimeTalk 1 year, 9 months ago
"Azure Resource Manager can securely deploy certificates stored in Azure Key Vault to Azure VMs when the VMs are deployed."
https://docs.microsoft.com/en-us/azure/security/fundamentals/data-encryption-best-practices
So answer is Azure Key Vault
upvoted 3 times
sunwukong 1 year, 9 months ago
Azure Key Valut
upvoted 1 times
Ebenezer 1 year, 10 months ago
Azure Key Vault is a cloud service that provides a secure store for secrets. You can securely store keys, passwords, certificates, and other
secrets.
The answer is definitely Azure Key Vault.
upvoted 3 times
bb2020 1 year, 11 months ago
MFA does not help with providing any help with exposing the password but provides added layer of security. Hence Key Vault is the right
answer
upvoted 1 times
MK1368 2 years ago
Azure key vault
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 424/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
svm_Terran 2 years, 1 monthago
A. Azure keyvault is used to protect critical data such as to encrypt.
upvoted 1 times
Orient3950 2 years, 1 month ago
Comment section is confusing
upvoted 1 times
VTHAR 2 years ago
Yes, but no worries. Answer is Azure Keyvault. It's in exam today 29 Aug.
upvoted 6 times
babuvt 2 years, 2 monthsago
A.. It is very clear.. Azure Key Vault
upvoted 1 times
Don123 2 years, 2 months ago
https://azure.microsoft.com/en-us/services/information-protection/
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 425/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #256
You plan to deploy several Azure virtual machines.
You need to control the ports that devices on the Internet can use to access the virtual machines.
What should you use?
A. a network security group (NSG)
B. an Azure Active Directory (Azure AD) role
C. an Azure Active Directory group
D. an Azure key vault
Correct Answer: A
A network security group works like a firewall. You can attach a network security group to a virtual network and/or individual subnets within the
virtual network.
You can also attach a network security group to a network interface assigned to a virtual machine. You can use multiple network security
groups within a virtual network to restrict traffic between resources such as virtual machines and subnets.
You can filter network traffic to and from Azure resources in an Azure virtual network with a network security group. A network security group
contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
Sandy4912 Highly Voted 2 years, 2 months ago
A network security group (NSG) contains a list of security rules that allow or deny network traffic to resources connected to Azure Virtual
Networks (VNet). NSGs can be associated to subnets, individual VMs (classic), or individual network interfaces (NIC) attached to VMs
(Resource Manager)
Ais the correct answer.
upvoted 24 times
vaisat Highly Voted 2 years, 8 monthsago
Ais the only logic option.
upvoted 9 times
mytapun1 year, 9 months ago
correct
upvoted 1 times
Tom34 Most Recent 3 months, 2 weeks ago
You can attach a network security group to a virtual network and/or individual subnets within the virtual network. - It's a wrong
statement. You can assign NSG only to subnet and NIC in a virtual machine.
You can associate zero, or one, network security group to each virtual network subnet and network interface in a virtual machine. The
same network security group can be associated to as many subnets and network interfaces as you choose.
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
upvoted 2 times
Hassan110 7 months ago
Ais correct
upvoted 1 times
Subhrajit 7 months, 3 weeks ago
Selected Answer: A
a network security group (NSG)
upvoted 1 times
Sarahxx 1 year, 1 month ago
appeared 18th July 2021
upvoted 2 times
AzureDrew 1 year, 2 months ago
"You can attach a network security group to a virtual network and/or individual subnets within the virtual network." Is wrong. A previous
questions states that you cannot attach a nsg to a virtual network. Only subnets and NICS
upvoted 6 times
taoj 1 year, 3 months ago
Got it on 01 Jun 2021
upvoted 2 times
samuelgarcia 1 year, 4 months ago
Why does this answer say you can attach an NSG to a virtual network but in question #133 it says you can't?
upvoted 5 times
pedrolindeza 1 year, 3 months agoi
was looking for this. Thank you
upvoted 2 times
Georgess 10 months, 3 weeks ago
I couldn't find "virtual network" in the whole text of this question, so why are you asking this?
upvoted 1 times
Gerardo1971 1 year, 4 months ago
Correct answer
upvoted 1 times
jashish79 1 year, 6 months ago
Azure Firewall is for filtering traffic from outside Azure world , that is , internet . NSG is for filtering traffic from within Azure resources
...Option of Azure Firewall is not present
upvoted 1 times
DartTrapdoor 1 year, 2 months ago
Azure Firewall is a stateful (and expensive) option for controlling traffic.
NSGs are like access contorl lists - it does the job. Source and destination for NSG can be outside of Azure.
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 426/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
panal 1 year, 6 months ago
Given Answer is correct.
upvoted 1 times
etoto 1 year, 9 months ago
A network security group (NSG) enables you to filter network traffic to and from Azure resources within an Azure Virtual Network. You can
think of network security groups like an internal firewall. An NSG can contain multiple inbound and outbound security rules that enable
you to filter traffic to and from resources by source and destination IP address, port, and protocol.
upvoted 4 times
Prates_BR 1 year, 9 months ago
Yes, the logical option, however when we are talking about internet, most of times FIREWALL should be the correct option.
upvoted 1 times
winston_451 year, 11 months ago
It should be firewall...
upvoted 2 times
ADJ85 1 year, 11 months ago
Ais the correct answer.
upvoted 1 times
Kavitakrish 1 year, 11 months ago
Same question appeared! Many questions from this set came for exam ., really useful material
upvoted 2 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 427/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #257
HOTSPOT -
To complete the sentence, select the appropriate option in the answer area.
Hot Area:
Correct Answer:
When you create a virtual machine, the default setting is to create a Network Security Group attached to the network interface assigned to a
virtual machine.
A network security group works like a firewall. You can attach a network security group to a virtual network and/or individual subnets within the
virtual network.
You can also attach a network security group to a network interface assigned to a virtual machine. You can use multiple network security
groups within a virtual network to restrict traffic between resources such as virtual machines and subnets.
You can filter network traffic to and from Azure resources in an Azure virtual network with a network security group. A network security group
contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.
In this question, we need to add a rule to the network security group to allow the connection to the virtual machine on port 8080.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
Kavitw Highly Voted 1 year, 4 months ago
port=NSG
upvoted 17 times
taoj Highly Voted 1 year, 3 monthsago
Got it on 01 Jun 2021
upvoted 5 times
MasoudK Most Recent 10 months, 1 weekago
Shouldn't be route table? you will change a NSG rule not NSG itself I thought rules can be defined in route table.
upvoted 1 times
chan2013 10 months, 4 weeks ago you
can attach NSG to NIC or Subnet
upvoted 1 times
diogoweb 1 year ago
Got it on 06-09-2021
upvoted 3 times
Sarahxx 1 year, 1 month ago
appeared 18th July 2021
upvoted 1 times
samaas 1 year, 2 months ago
Appeared on July 7th exam
upvoted 2 times
Dangotthejugo 1 year, 5 months ago
At first I thought it was B, but A seems logical.
upvoted 2 times
UmeshBarailli 1 year, 6 months ago
Correct
upvoted 1 times
Peace2_ 1 year, 6 months ago
Correct
upvoted 1 times
panal 1 year, 6 months ago
Correct
upvoted 2 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 428/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #258
HOTSPOT -
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#owner
AwesomeSlide Highly Voted 1 year, 4 months ago
Owner role can be assigned to multiple users for a resource group. I tried and learnt.
upvoted 67 times
Citrix12345 Highly Voted 1 year, 4 months ago
I test this in my lab and assign the owner role of a resource group to multiple users!
upvoted 35 times
_your__fear_ Most Recent 2 months ago
Y Y N main admin could be only one
upvoted 2 times
jj43212 months, 1 weekago
Dear Author of this platform: why u didn't update last option to Yes ???
upvoted 4 times
tacobear 6 months ago
it was on exam on 03/12/2022.
upvoted 4 times
rrcool 6 months, 2 weeks ago
Was on exam 26/02/2022
upvoted 5 times
MS_Learner 7 months, 1 week ago
Got Feb 10, 2022
upvoted 4 times
Sisb 7 months,4 weeks ago
3 should be Yes, I have done many times in my Azure account
upvoted 9 times
joergsi 8 months ago
About the owner role, please check the following doc-source:
https://docs.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles
My conclusion:
- Admin-Accounts are limited
- Azure roles are unlimited
=> Answer should be YES!
upvoted 2 times
atilla 8 months ago
owner I tried multiple is possible
upvoted 3 times
mufflon 9 months ago
Custom roles can be done
https://docs.microsoft.com/sv-se/azure/role-based-access-control/custom-roles
A user an have multiple roles
https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles
Owner role can be assigned to multiple users:
The Service Administrator and Co-Administrators are assigned the Owner role at the subscription scope
Applies to all resource types.
https://docs.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles
so Y-Y-Y
upvoted 3 times
thegreatnivram 9 months, 3 weeks ago
Yes,Yes,Yes
upvoted 4 times
jonnyazure 9 months, 3 weeks ago
whats the answer?
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 429/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
akrben 10 months,3 weeks ago
the reponse is yyn because you cant assign a role to a ressource group you can only assign them only to a user
upvoted 3 times
Menda 10 months, 1 week ago
read the answer again, it says assigned to multiple users in arg
correct answer is YYY
upvoted 3 times
peymani 11 months ago
https://docs.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles
Y,Y,Y
upvoted 3 times
ABDESSATTAR 11 months, 4 weeks ago
Y,Y ,Y the owner can be assigned to many users
upvoted 4 times
kedamni 1 year ago
y-y-y are correct
upvoted 2 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 430/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #259
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your Azure environment contains multiple Azure virtual machines.
You need to ensure that a virtual machine named VM1 is accessible from the Internet over HTTP.
Solution: You modify a network security group (NSG).
Does this meet the goal?
A. Yes
B. No
Correct Answer: A
A network security group works like a firewall. You can attach a network security group to a virtual network and/or individual subnets within the
virtual network.
You can also attach a network security group to a network interface assigned to a virtual machine. You can use multiple network security
groups within a virtual network to restrict traffic between resources such as virtual machines and subnets.
You can filter network traffic to and from Azure resources in an Azure virtual network with a network security group. A network security group
contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.
In this question, we need to add a rule to the network security group to allow the connection to the virtual machine on port 80 (HTTP).
References:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
hercu Highly Voted 1 year, 6 months ago
A Network Security Group (NSG) is sufficient to allow the connection to the virtual machine on port 80 (HTTP) from the Internet. Public IP
is part of network configuration. We should mainly focus on the functionality of the Network security groups.
For sure, you can allow the connection to the VM through port 80 using NSG. Tutorial from Microsoft that demonstrates the same case
(with public IP) and NSG used (no firewall!):
https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-filter-network-traffic
upvoted 12 times
hercu 1 year, 6 months ago
In addition, note: "Some question sets might have more than one correct solution" which means that the answer available here can be
part of the correct solution. To conclude, to modify NSG is surely the required task to meet the expected solution.
upvoted 2 times
RGP4d33 1 year, 4 months ago
But you're assuming (incorrectly) there is a public IP: and there could not... so, answer must be NO (because is an incomplete solution)
upvoted 1 times
TecKen313 1 year, 4 months ago
You are wrong. The answer IS CORRECT
https://docs.microsoft.com/en-us/learn/modules/secure-and-isolate-with-nsg-and-service-endpoints/3-exercise-network-security-
groups
upvoted 2 times
rdy2go Highly Voted 1 year, 7 months ago
Shouldn't this be "No", you need to make sure there is a public IP first.
upvoted 10 times
joergsi 8 months ago
If you drill it down to this level, we need to add a NIC to VM first to have the VM reachable over the network!
upvoted 2 times
sinear 1 year, 6 months ago
We can assume IP address is already granted here. This is "fundamentals", remember ;) ? The question is meant to test we correctly
understand what a NSG can do or not. And it can what is stated in the question
upvoted 19 times
RGP4d33 1 year, 4 months ago
But nowhere says there is a public IP ... what if is being accessed only though Bastion? We coudn't predict there is a public IP, so
answer shall be NO.
upvoted 1 times
AshenOne_31 Most Recent 7 months,2 weeks ago
Selected Answer: A
A makes sense
upvoted 1 times
akp1000 8 months ago
Selected Answer: A
Yes as the NSG allows you to specify the port 80
upvoted 1 times
mufflon 9 months, 1 weekago
Selected Answer: B
https://docs.microsoft.com/en-us/azure/azure-vmware/enable-public-internet-access
upvoted 1 times
mufflon 9 months ago
changing my mind after reading
it works, answer is yes
https://docs.microsoft.com/en-us/azure/virtual-network/ip-services/associate-public-ip-address-vm
Before you can connect to the public IP address from the internet, ensure that you have the necessary ports open in any network
security group that you might have associated to the network interface,
upvoted 1 times
mufflon 9 months, 1 weekago
Answer should be NO.
https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-filter-network-traffic
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 431/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Enable public internet for Azure VMware Solution workloads
https://docs.microsoft.com/en-us/azure/azure-vmware/enable-public-internet-access
upvoted 1 times
mufflon 9 months ago
changing my mind after reading
it works, answer is yes
https://docs.microsoft.com/en-us/azure/virtual-network/ip-services/associate-public-ip-address-vm
Before you can connect to the public IP address from the internet, ensure that you have the necessary ports open in any network
security group that you might have associated to the network interface,
upvoted 3 times
mufflon 9 months ago
https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-filter-network-traffic
upvoted 1 times
Harry28731 9 months, 3 weeks ago
You can attach a network security group to a virtual network and/or individual subnets within the virtual network.
No. You can't attach a NSG to a Vnet, but only to subnets within the Vnets or NIC. Please update the answer as its misleading.
upvoted 1 times
MGegruis 1 year, 2 months ago
It Should be No, as NGS is to filter traffic in-between the Azure VM & Firewall is for traffic from/to internet.
upvoted 1 times
projectkamote 1 year, 2 months ago
NSG or firewall can do this. Since, NSD is present from the options . I chose NSG.
upvoted 1 times
mauchi 1 year, 3 months ago
The statement is very vague... but generally yes, modifying NSG in order to allow that traffic would be correct
upvoted 3 times
Tintin_06 1 year, 3 monthsago
why not modifying ASG instead ?
"Your Azure environment contains multiple Azure virtual machines."
NSG :
Rules are applied to all resources in the associated subnet.
ASG :
Rules are applied to all ASGs in the same virtual network.
Application security groups
Application security groups enable you to configure network security as a natural extension of an application's structure, allowing you to
group virtual machines and define network security policies based on those groups. You can reuse your security policy at scale without
manual maintenance of explicit IP addresses. To learn more, see Application security groups.
upvoted 1 times
Franco11 1 year, 4 monthsago
Not Enough, U need to make sure there are an allow rule on the FIREWALL
upvoted 1 times
Gerardo1971 1 year, 4 months ago
Correct answer
upvoted 1 times
TecKen313 1 year, 4 months ago
The answer is correct.
https://docs.microsoft.com/en-us/learn/modules/secure-and-isolate-with-nsg-and-service-endpoints/3-exercise-network-security-groups
upvoted 2 times
Kavitw 1 year, 4 months ago
correct
upvoted 1 times
GuyJosenhans 1 year, 5 months ago
You need to ensure that a virtual machine named VM1 is accessible from the Internet over HTTP. Ensure is the Key Word! You should have
to modify anything. May things can block this not just a NSG. A Firewall could block this as well! the answer should be NO!
upvoted 2 times
CARIOCA 1 year, 5 months ago
This question is very divided in the feedback after all what would be the answer and which justified it?
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 432/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #260
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your Azure environment contains multiple Azure virtual machines.
You need to ensure that a virtual machine named VM1 is accessible from the Internet over HTTP.
Solution: You modify a DDoS protection plan.
Does this meet the goal?
A. Yes
B. No
Correct Answer: B
DDoS is a form of attack on a network resource. A DDoS protection plan is used to protect against DDoS attacks; it does not provide
connectivity to a virtual machine.
To ensure that a virtual machine named VM1 is accessible from the Internet over HTTP, you need to modify a network security group or Azure
Firewall.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/ddos-protection-overview
chris_py_chris Highly Voted 2 years, 6 months ago
Create new NSG -->add inbound security rule & allow HTTP --> assiciate with appropriate subnet
upvoted 40 times
friendly4ever Highly Voted 2 years, 10 months ago
firewall should be configured not DDOS
upvoted 11 times
desiboy825 Most Recent 3 days, 21 hours ago
Selected Answer: B
BBBBBBb
upvoted 1 times
gabrisiq 3 months ago
that's exactly right!
upvoted 1 times
iphone99 11 months, 1 week ago
Correct !
upvoted 1 times
Ariful333 11 months, 1 weekago
DDOS is protected attacks and NSG is for allowing HTTP. So, the answer is correct.
upvoted 2 times
Gerardo1971 1 year, 4 months ago
Correct answer
upvoted 1 times
yungenma 1 year, 4 months ago
Correct!
upvoted 1 times
Bhupiz 1 year, 6 months ago
Correct
upvoted 1 times
rob_724 1 year, 6 monthsago well,
this should be fairly obvious
upvoted 1 times
panal 1 year, 6 months ago
Correct.
upvoted 1 times
rishikantsingh160581 1 year, 6 months ago
Solution should be NSG
upvoted 1 times
nigeldmgriffith 1 year, 8 months ago
B; the firewall needs to be configured to accomplish the desired result.
upvoted 1 times
male 1 year, 8 monthsago
DDOS will provide security from attacks
upvoted 1 times
Divya07 1 year, 8 monthsago
YOu need to assign a public IP if you need access from internet. For security you will configure access via Firewall/ load balancer
upvoted 1 times
QualifiedExpert 1 year, 9 months ago
Modify the NSG first.
upvoted 1 times
sunisury 1 year, 10 months ago
create network security group, associate with VM NIC or subnet for it to be accessible over HTTP...https://docs.microsoft.com/en-
us/azure/virtual-machines/windows/nsg-quickstart-portal
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 433/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #261
You need to collect and automatically analyze security events from Azure Active Directory (Azure AD).
What should you use?
A. Azure Sentinel
B. Azure Synapse Analytics
C. Azure AD Connect
D. Azure Key Vault
Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/overview
jamesf Highly Voted 1 year, 4 months ago
Correct.
Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated
response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a
single solution for alert detection, threat visibility, proactive hunting, and threat response.
Azure Sentinel comes with a number of connectors for Microsoft solutions, available out of the box and providing real-time integration,
including Microsoft 365 Defender (formerly Microsoft Threat Protection) solutions, and Microsoft 365 sources, including Office 365, Azure
AD, Microsoft Defender for Identity (formerly Azure ATP), and Microsoft Cloud App Security, and more.
https://docs.microsoft.com/en-us/azure/sentinel/overview
upvoted 27 times
patje Highly Voted 1 year, 2 months ago
Also true, Azure Sentinel is never mentioned in any of the Microsoft exam prepation manual, so unless you studied other exams, happen
to know it or visit sites like these you don't get the knowledge you need to go on exam.
upvoted 10 times
Olamz 1 year, 1 monthago
Like seriously, there are some things in the learning path that aren't mentioned which I got to know here
upvoted 4 times
HHHo Most Recent 4 months, 4 weeks ago
Got this in exam on 2022.04.18
upvoted 4 times
tacobear 6 months ago
it was on exam on 03/12/2022.
upvoted 2 times
Bea25 6 months, 3 weeks ago
Azure Sentinel is now called Microsoft Sentinel.
https://docs.microsoft.com/en-us/azure/sentinel/overview
upvoted 2 times
Ajaykrish 9 months, 2 weeks ago
got it on 29-Nov-2021
upvoted 1 times
Jason71 11 months ago
Got this on the 19/10/2021 exam!
upvoted 3 times
alex1491 11 months ago
keywords: security events
upvoted 1 times
Osmanly 1 year ago
Thanks, guys, I never heard of MS Azure Sentinel!
upvoted 2 times
fercho 1 year ago
Appeared on 05 Sep 2021
upvoted 2 times
Sarahxx 1 year, 1 month ago
appeared 18th July 2021
upvoted 2 times
Judah 1 year, 4 months ago
The answer is right I think
upvoted 3 times
rickysanyal 1 year, 4 months ago
yes correct answer
upvoted 3 times
tvl 1 year, 4 months ago
correct
upvoted 2 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 434/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #262
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your Azure environment contains multiple Azure virtual machines.
You need to ensure that a virtual machine named VM1 is accessible from the Internet over HTTP.
Solution: You modify an Azure firewall.
Does this meet the goal?
A. Yes
B. No
Correct Answer: A
Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It's a fully stateful
firewall as a service with built-in high availability and unrestricted cloud scalability.
In this question, we need to add a rule to Azure Firewall to allow the connection to the virtual machine on port 80 (HTTP).
References:
https://docs.microsoft.com/en-us/azure/firewall/overview
foreverlearner Highly Voted 2 years, 4 months ago
You can either modify a firewall or modify a NSG. For basic allow/deny traffic, NSG is enough. But the same can be achieved with Firewall
as well.
"The Azure Firewall service complements network security group functionality. Together, they provide better "defense-in-depth" network
security. Network security groups provide distributed network layer traffic filtering to limit traffic to resources within virtual networks in
each subscription. Azure Firewall is a fully stateful, centralized network firewall as-a-service, which provides network- and application-level
protection across different subscriptions and virtual networks." https://docs.microsoft.com/en-us/azure/firewall/firewall-faq
upvoted 43 times
Chris0105 1 year, 5 months ago
You are right. see as well question #133, so it must be firewall or NSG. I actually thought it was just NSG - seems I am wrong.
upvoted 3 times
lehoang15tuoi 1 year, 9 months ago
Your logic is not clear. To put it simply, both Firewall and NSG can be used to block traffic. Think of them like 2 gates on the same
walkway. You open one and close one, can you pass through both? The NSG default rule is blocking all inbound traffic, so if you dont
do anything with it, it doesn’t matter what you do with the firewall.
upvoted 11 times
Mozbius_ 9 months, 2 weeks ago
EXACTLY my chain of thought. But then again... They didn't specify that a NSG has been set up (NSG's are not set by default when
you create a vm...) so the only thing that could prevent a vm from communicating on port 80 is the firewall...
upvoted 1 times
thebadfella 1 year ago
Guys, forget about the question for a moment and look at your on-prem infra, you need to whitelist in FW first for any legitmate
inbound access. So answer is "YES"
upvoted 2 times
PhilB1000 Highly Voted 2 years, 7 months ago
https://docs.microsoft.com/en-us/azure/firewall/firewall-faq#what-is-the-difference-between-network-security-groups-nsgs-and-azure-
firewall
What is the difference between Application Gateway WAF and Azure Firewall?
The Web Application Firewall (WAF) is a feature of Application Gateway that provides centralized inbound protection of your web
applications from common exploits and vulnerabilities. Azure Firewall provides inbound protection for non-HTTP/S protocols (for example,
RDP, SSH, FTP), outbound network-level protection for all ports and protocols, and application-level protection for outbound HTTP/S.
upvoted 13 times
jokerbase Most Recent 3 months, 3 weeks ago
Follow this article:
https://adamtheautomator.com/azure-firewall/
We can choose Azure Firewall or NSG. It's also working together. We also can create a VM without NSG. Almost the example they created
the VM with NSG because it's free. Azure Firewall is not free. That's all.
upvoted 2 times
MS_Learner 7 months, 1 weekago
Got Feb 10, 2022, this question came in a way where they list 4 options, so I choose Azure firewall.
upvoted 2 times
mikamozg 9 months, 4 weeks ago
Firewall, WAF and NSG
Application rules aren't applied for inbound connections. So if you want to filter inbound HTTP/S traffic, you should use Web Application
Firewall (WAF). Or alternatively you can tweak NSG because by default everything is closed on NSG once it is created and assigned to vnet,
subnet or vnic.
Below is tutorial how to setup firewall and vnet, but if you go through you will see that all conversation is about outbound trafic not
inbound may be because Azure Firewall application rules aren't applied for inbound connections. So we left with WAF or NSG.
https://docs.microsoft.com/en-us/azure/firewall/tutorial-firewall-deploy-portal
upvoted 1 times
mikamozg 9 months,4 weeks ago
in addition if you go through the deploy guide you will see that making changes to firewall is not enough you always need to do
additional things like create default route in ip tables or create default route in VM in order to direct traffic to firewall. so answering to
test question making changes on Firewall is not enough.
upvoted 1 times
mikamozg 9 months, 4 weeks ago
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/nsg-quickstart-portal
You open a port, or create an endpoint, to a virtual machine (VM) in Azure by creating a network filter on a subnet or aVM network
interface. You place these filters, which control both inbound and outbound traffic, on a network security group attached to the
resource that receives the traffic.
upvoted 1 times
mikamozg 9 months, 4 weeks ago
everytime you search for the correct answer or solution NSG comes up:
https://docs.microsoft.com/en-us/answers/questions/182838/need-to-enable-ports-80-and-443-along-with-inbound.html
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 435/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
manfredw 1 year, 1 month ago
correct
upvoted 1 times
stefano1856 1 year, 3 months ago
In Microsoft Learning Path is stated :
Azure Firewall provides Inbound protection for non-HTTP/S protocols (for example, RDP, SSH, and FTP)
https://docs.microsoft.com/en-us/learn/modules/secure-network-connectivity-azure/7-combine-services-complete-
solution#:~:text=Azure%20Firewall%20provides,and%20FTP
upvoted 2 times
Eka22 1 year, 3 months ago
hey guys...in my opinion the answer is correct it should be YES. In simple words , NSGs allow authentic ends to communicate and doesn't
care about the data exchange, on the other hand, Azure Firewall does the same thing as NSG but, it also checks the data transfer. So the
best suitable here to use is Azure Firewall.
upvoted 1 times
Kavitw 1 year, 4 months ago
correct answer
upvoted 1 times
CARIOCA 1 year, 5 months ago
This question is very divided in the feedback after all what would be the answer and which justified it?
upvoted 1 times
Tas006 1 year, 5 months ago
Answer is A. This question came out on the 05.03.2021
upvoted 2 times
rob_724 1 year, 6 monthsago
while modifying azure firewall 'can' help -- firewall is not a default service and it is not assumed that it has been already enabled.
upvoted 1 times
hercu 1 year, 6 months ago
I think that the following quote resolves all doubts as it sounds clear enough. “The Web Application Firewall (WAF) is a feature of
Application Gateway that provides centralized inbound protection of your web applications from common exploits and vulnerabilities.
Azure Firewall provides inbound protection for non-HTTP/S protocols (for example, RDP, SSH, FTP), outbound network-level protection for
all ports and protocols, and application-level protection for outbound HTTP/S.” References: https://docs.microsoft.com/en-
us/azure/firewall/firewall-faq
Comment: Azure firewall is not intended for inbound HTTP/S protection. This means that only the variant with "You modify a network
security group (NSG)." in the other similar question is correct. Hope it helps :)
upvoted 4 times
Mozbius_ 9 months, 2 weeks ago
I would agree with you hercu but then Microsoft also says the following (can't be clearer than that) :
Can be filtered by Azure Firewall :
* HTTP(S) traffic from on-premises/internet to Azure (inbound)
* HTTP(S) traffic from Azure to on-premises/internet (outbound)
* Non-HTTP(S) traffic, inbound/outbound
https://docs.microsoft.com/en-us/azure/architecture/example-scenario/gateway/firewall-application-gateway
upvoted 1 times
JohnBB 1 year, 6 months ago
NO is the correct answer.
Explanation: https://docs.microsoft.com/en-us/azure/firewall/firewall-faq#are-network-security-groups--nsgs--supported-on-the-
azurefirewallsubnet
Does Azure Firewall support inbound traffic filtering?
Inbound protection is typically used for non-HTTP/S protocols
upvoted 3 times
Diezvai 1 year, 5 months ago
Agree. Example "in front of you is a house with fence and gates - just by opening the gates in the fence you are not guaranteed to be
able to enter the house - you need to open the doors!"
upvoted 1 times
Pinscher 1 year, 6 months ago
The firewall can allow traffic to pass but the VM is still not accessible from the internet if you don't set up a public IP or some routing.
Given that the answer should be no as there is no way to call the VM even if the firewall is open.
upvoted 4 times
Pinscher 1 year, 6 months ago
The firewall can allow traffic to pass but the VM is still not accessible from the internet if you don't set up a public IP or some routing.
Given that the answer should be no as there is no way to call the VM even if the firewall is open.
upvoted 1 times
Khella 1 year, 6 months ago
Correct
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 436/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #263
This question requires that you evaluate the underlined text to determine if it is correct.
Azure Germany can be used by legal residents of Germany only.
Instructions: Review the underlined text. If it makes the statement correct, select `No change is needed`. If the statement is incorrect, select the
answer choice that makes the statement correct.
A. no change is needed
B. only enterprises that are registered in Germany
C. only enterprises that purchase their azure licenses from a partner based in Germany
D. any user or enterprise that requires its data to reside in Germany
Correct Answer: D
Azure Germany is available to eligible customers and partners globally who intend to do business in the EU/EFTA, including the United
Kingdom.
Azure Germany offers a separate instance of Microsoft Azure services from within German datacenters. The datacenters are in two locations,
Frankfurt/Main and
Magdeburg. This placement ensures that customer data remains in Germany and that the datacenters connect to each other through a private
network. All customer data is exclusively stored in those datacenters. A designated German company--the German data trustee--controls
access to customer data and the systems and infrastructure that hold customer data.
References:
https://docs.microsoft.com/en-us/azure/germany/germany-welcome?toc=%2fazure%2fgermany%2ftoc.json https://docs.microsoft.com/en-
us/azure/germany/germany-overview-data-trustee
erikd Highly Voted 2 years, 9 monthsago
The correct answer is not given here, as MS states: "Azure Germany is available to eligible customers and partners globally who intend to
do business in the EU/EFTA, including the United Kingdom."
upvoted 21 times
foreverlearner 2 years, 4 months ago
UK not for long, though :) That's mostly around GDPR and other regulatory compliance. Germany is part the EU, so most of them are
the same also for other EU countries, other more sensitive might not be allowed to leave the country. In any way, your comment is
correct, as is the answer
upvoted 1 times
onincasimiro 1 year, 3 months ago
But closest answer is D.
upvoted 5 times
gabrisiq 2 months, 1 weekago
stop confusing people
upvoted 2 times
success101 Highly Voted 2 years,8 months ago
Correct Answer is D
upvoted 13 times
[Removed] Most Recent 5 months,2 weeks ago
Selected Answer: D
Right - Azure Special region
upvoted 1 times
Dave0907 1 year, 1 monthago
I never saw the underlined text ,why???
upvoted 2 times
Cyfroni 11 months ago
Uneed to use microsoft edge
upvoted 1 times
ducnd1409 10 months, 2 weeks ago
iam using the edge new version but see nothing
upvoted 2 times
zizonesol 4 months, 4 weeks ago
I used Edge but Iam not seeing anything on my end either
upvoted 1 times
marcus021 10 months, 2 weeks ago
me neither, but it is not that hard to guess it.
upvoted 2 times
Gerardo1971 1 year, 4 months ago
Correct answer
upvoted 1 times
panal 1 year, 6 months ago
Correct Answer is D
upvoted 2 times
aruni_mishra 1 year, 9 months ago
"on Sept 30th, 2020, we announced that the Microsoft Cloud Germany would be closing on October 29th, 2021"
https://docs.microsoft.com/en-us/azure/germany/germany-welcome
upvoted 3 times
Kumar19831 year, 8 months ago
This is because of two new data centers in Germany, and hence MS is asking customers to complete migration by a certain date in 2021
upvoted 1 times
Mani082 1 year, 11 months ago
does data need to reside in Germany for sure?
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 437/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
tcbw 1 year, 11 months ago
D: "offering customer data residency" (https://docs.microsoft.com/en-us/azure/germany/germany-get-started-connect-with-portal)
upvoted 1 times
Qrm_1972 2 years ago
Dis the correct choice
upvoted 1 times
Babustest 2 years, 2 months ago
That credit goes only to China
upvoted 1 times
satishk4u 2 years, 2 months ago
Azure Germany is available to eligible customers and partners globally who intend to do business in the EU/EFTA, including the United
Kingdom.
https://docs.microsoft.com/en-us/azure/germany/germany-welcome
upvoted 1 times
ultraOriginalVillain 2 years, 5 months ago
Band Care racists by the way hahaha of course it's D. Some business contracts, probably governmental contracts, require the data TO
STAY in the country! it cannot leave no matter how much security you use, it cannot leave !
upvoted 5 times
sidd27 2 years, 6 months ago
Agree with erikd completely
upvoted 2 times
axman832005 2 years, 8 months ago
didn't see any azure germany questions on the test
upvoted 6 times
Capo 2 years, 5 months ago
hi the exam questions here in this site are enough or you prepared from any other source as well ?
upvoted 4 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 438/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #264
HOTSPOT -
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: Yes -
The tool you would use to sync the accounts is Azure AD Connect. The Azure Active Directory Connect synchronization services (Azure AD
Connect sync) is a main component of Azure AD Connect. It takes care of all the operations that are related to synchronize identity data
between your on-premises environment and
Azure AD.
Box 2: Yes -
As described above, third-party cloud services and on-premises Active Directory can be used to access Azure resources. This is known as
'federation'.
Federation is a collection of domains that have established trust. The level of trust may vary, but typically includes authentication and almost
always includes authorization. A typical federation might include a number of organizations that have established trust for shared access to a
set of resources.
Box 3: Yes -
Azure Active Directory (Azure AD) is a centralized identity provider in the cloud. This is the primary built-in authentication and authorization
service to provide secure access to Azure resources.
References:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-whatis https://docs.microsoft.com/en-us/azure/active-
directory/hybrid/whatis-fed https://docs.microsoft.com/en-us/azure/active-directory/develop/authentication-scenarios
Tarfa Highly Voted 9 months ago
appear 16Dec21
upvoted 5 times
Harish2004 Highly Voted 1 year, 5 months ago
Correct
upvoted 5 times
Azuni Most Recent 9 months, 3 weeks ago
Igot this question in the exam 22/11/2021
upvoted 2 times
Shw7 1 year, 1 monthago
Appeared on 26-July-2021
upvoted 2 times
pdettorre 1 year, 2 months ago
same as question 168
upvoted 4 times
ReginaldoBarreto 1 year, 6 months ago
Yes to all
upvoted 4 times
panal 1 year, 6 months ago
Correct
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 439/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
TakumaK1 year, 6 months ago
Can you tell me the difference between AD and AAD?
upvoted 2 times
JesusUB 1 year, 6 months ago
AD is classic Active Directory you install in your on-premise servers. AAD is Azure Active Directory.
upvoted 11 times
rrcool 6 months, 2 weeks ago
panal does not no anything. only spams correct.
upvoted 4 times
fishstix 2 weeks, 3 days ago
correct
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 440/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #265
HOTSPOT -
To complete the sentence, select the appropriate option in the answer area.
Hot Area:
Correct Answer:
The advanced monitoring capabilities in Security Center lets you track and manage compliance and governance over time. The overall
compliance provides you with a measure of how much your subscriptions are compliant with policies associated with your workload.
Reference:
https://docs.microsoft.com/en-us/azure/security-center/security-center-intro
fat_noel Highly Voted 1 year, 3 months ago
Took exam on 02 June 2021 and this question was there. Score was 895. Almost every question on the exam was on this site so thanks so
much bros! Good luck to those who will take it soon. Study this site twice and you won't miss!
upvoted 42 times
silviogremio Highly Voted 2 months, 3 weeks ago
Security Center (NOW is called Azure Defender for Cloud)
upvoted 10 times
gabrisiq 2 months, 1 week ago
yea... thanks
upvoted 1 times
GetAzure Most Recent 1 week, 5 days ago
is correct Microsoft Defender for Cloud(old name : Security Center)
upvoted 2 times
Angiras 1 monthago
Keyword : Regulatory = Security
upvoted 1 times
HHHo 4 months,4 weeks ago
Got this in exam on 2022.04.18
upvoted 1 times
ssdwwdf 6 months ago
oh yes
upvoted 1 times
Ajaykrish 9 months, 2 weeks ago
got it on 29-Nov-2021
upvoted 1 times
Azuni 9 months, 3 weeks ago
Igot this question in the exam 22/11/2021
upvoted 1 times
Jason71 11 months ago
Got this on the 19/10/2021 exam!
upvoted 2 times
fercho 1 year ago
Appeared on 05 Sept 2021
upvoted 2 times
iwarakorn 1 year, 2 months ago
Got in exam July02,2021
upvoted 3 times
mpooja 1 year, 3 monthsago
Appeared in 05 - Jun -21 Exam
upvoted 2 times
maderon 1 year, 3 months ago
compliance=security
upvoted 4 times
taoj 1 year, 3 months ago
Got it on 01 Jun 2021
upvoted 4 times
jamesf 1 year, 3 monthsago
correct.
keyword: regulatory = security center
upvoted 4 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 441/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
safaa 1 year, 4 months ago
correct!
upvoted 2 times
Topic 1
Question #266
What should you use to evaluate whether your company's Azure environment meets regulatory requirements?
A. Azure Service Health
B. Azure Knowledge Center
C. Azure Security Center
D. Azure Advisor
Correct Answer: C
The advanced monitoring capabilities in Security Center lets you track and manage compliance and governance over time. The overall
compliance provides you with a measure of how much your subscriptions are compliant with policies associated with your workload.
Reference:
https://docs.microsoft.com/en-us/azure/security-center/security-center-intro
jamesf Highly Voted 1 year, 3 months ago
correct.
keyword: regulatory = security center
upvoted 18 times
taoj Highly Voted 1 year, 3 monthsago
Got it on 01 Jun 2021
upvoted 6 times
certstudent2016 Most Recent 4 months,3 weeks ago
Got this on Exam today... new name for Security center is Microsoft Defender for cloud
passed the exam
upvoted 6 times
BlueMountains 7 months, 3 weeks ago
https://docs.microsoft.com/en-gb/azure/defender-for-cloud/defender-for-cloud-introduction?WT.mc_id=modinfra-17262-socuff
upvoted 2 times
tomfong 8 months ago
Compliance Manager or Security Center?
upvoted 1 times
Ajaykrish 9 months, 2 weeks ago
got it on 29-Nov-2021
upvoted 1 times
koirul_huda 10 months ago
Correct
upvoted 1 times
Jason71 11 months ago
Got this on the 19/10/2021 exam!
upvoted 1 times
fercho 1 year ago
Appeared on 05 Sept 2021
upvoted 2 times
Sarahxx 1 year, 1 month ago
appeared 18th July 2021
upvoted 1 times
Caris 1 year, 4 months ago
correct
upvoted 2 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 442/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #267
HOTSPOT -
To complete the sentence, select the appropriate option in the answer area.
Hot Area:
Correct Answer:
Azure Information Protection is used to automatically add a watermark to Microsoft Word documents that contain credit card information.
You use Azure Information Protection labels to apply classification to documents and emails. When you do this, the classification is identifiable
regardless of where thedata is stored or with whom it's shared. The labels can include visual markings such as a header, footer, or watermark.
Labels can be applied automatically by administrators who define rules and conditions, manually by users, or a combination where users are
given recommendations. In this question, we would configure a label to be automatically applied to Microsoft Word documents that contain
credit card information. The label would then add the watermark to the documents.
Reference:
https://docs.microsoft.com/en-us/azure/information-protection/what-is-information-protection https://docs.microsoft.com/en-
us/azure/information-protection/infoprotect-quick-start-tutorial
sunsiva Highly Voted 1 year, 7 months ago
AIP is used to add the water mark to the office documents.
upvoted 13 times
Siraf Most Recent 2 months, 1 weekago
Answer is correct
upvoted 1 times
Shw7 1 year, 1 monthago
Appeared on 26-July-2021
upvoted 2 times
dotty88 1 year, 6 months ago
AIP IS USED
upvoted 4 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 443/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #268
HOTSPOT -
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: No -
Azure Active Directory (Azure AD) is a cloud-based service. It does not require domain controllers on virtual machines.
Box 2: Yes -
Azure Active Directory (Azure AD) is a centralized identity provider in the cloud. This is the primary built-in authentication and authorization
service to provide secure access to Azure resources and Microsoft 365.
Box 3: No -
User accounts in Azure Active Directory can be assigned multiple licenses for different Azure or Microsoft 365 services.
panal Highly Voted 1 year, 6 months ago
Correct
upvoted 20 times
gabrisiq Most Recent 2 months,1 week ago
almost all questions that include "...only" are answered with "No"
upvoted 3 times
raul4real73 3 months ago
2is NO.
Azure AD helps users access both external and internal resources.
External resources might include Microsoft Office 365, the Azure portal, and thousands of other software as a service (SaaS) applications.
Internal resources might include apps on your corporate network and intranet, along with any cloud applications developed within your
organization.
upvoted 1 times
kapy024 2 months, 3 weeks ago
Your comment is exactly the response for YES.
If it is used for internal and external then it means correct. Microsoft 365 is external.
upvoted 1 times
Tarfa 9 months ago
appear 16Dec21
upvoted 2 times
jm1983251 year, 2 months ago
Correcto
upvoted 1 times
maltezie 1 year, 3 months ago
Easy points
upvoted 3 times
mis3lin 1 year, 5 months ago
no, no, yes
upvoted 1 times
Brasotes 1 year, 4 months ago
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 444/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
what is the explanation for your answer?
upvoted 14 times
Bruno_DBA 4 months, 3 weeks ago
Good lock!
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 445/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #269
Which two types of customers are eligible to use Azure Government to develop a cloud solution? Each correct answer presents a complete
solution.
NOTE: Each correct selection is worth one point.
A. a Canadian government contractor
B. a European government contractor
C. a United States government entity
D. a United States government contractor
E. a European government entity
Correct Answer: CD
Azure Government is a cloud environment specifically built to meet compliance and security requirements for US government. This mission-
critical cloud delivers breakthrough innovation to U.S. government customers and their partners. Azure Government applies to government at
any level ג€" from state and local governments to federal agencies including Department of Defense agencies.
The key difference between Microsoft Azure and Microsoft Azure Government is that Azure Government is a sovereign cloud. It's a physically
separated instance of Azure, dedicated to U.S. government workloads only. It's built exclusively for government agencies and their solution
providers.
References:
https://docs.microsoft.com/en-us/learn/modules/intro-to-azure-government/2-what-is-azure-government
Nakish Highly Voted 2 years, 11 months ago
Azure Government is a cloud environment specifically built to meet compliance and security requirements for US government.
upvoted 54 times
ultraOriginalVillain 2 years, 5 months ago
very American naming...
upvoted 56 times
Raven777 Highly Voted 2 years,3 months ago
Who f-ing cares (outside the US)? Ridiculous question.
upvoted 52 times
promocode 2 years, 2 months ago
ha ha ha...
upvoted 1 times
benynek 2 years, 2 months ago
People who lives outside of the US.
upvoted 6 times
kachraSeth 2 years ago
They are just bragging about these so called special data centers
upvoted 6 times
AnxiousKid 1 year, 6 months ago
literally people who lives outside the US lmao
upvoted 7 times
lazslo78 Most Recent 1 week, 3 days ago
Uncle Sam
upvoted 1 times
GetAzure 1 week, 5 days ago
Selected Answer: CD
is correct
upvoted 1 times
tacobear 6 months ago
it was on exam on 03/12/2022.
upvoted 2 times
raven4111 year, 1 monthago
Easy points
upvoted 1 times
Shw7 1 year, 1 monthago
Appeared on 26-July-2021
upvoted 1 times
iwarakorn 1 year, 2 months ago
Got in exam July02,2021
upvoted 2 times
Plextor 1 year, 2 months ago
I saw this question today on my exam July 1 2021
upvoted 2 times
mpooja 1 year, 3 monthsago
Appeared in 05 - Jun -21 Exam
upvoted 2 times
taoj 1 year, 3 months ago
Got it on 01 Jun 2021
upvoted 3 times
Gerardo1971 1 year, 4 months ago
Correct answer
upvoted 1 times
pigandarias 1 year, 5 months ago
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 446/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
appeared on 05/04/2021 exam
upvoted 3 times
sumitraj04 1 year, 5 months ago
Yes within US government.
upvoted 1 times
jinyongzi 1 year, 5 months ago
Cand D
upvoted 2 times
Janu12 1 year, 5 months ago
It’s agreat service for Americans
upvoted 1 times
Sandeeptp 1 year, 6 months ago
Cand D.. It's for US govt
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 447/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #270
HOTSPOT -
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: No -
It is not true that you must deploy a federation solution or sync on-premises identities to the cloud. You can have a cloud-only environment and
use MFA.
Box 2: No -
Picture identification and passport numbers are not valid MFA authentication methods. Valid methods include: Password, Microsoft
Authenticator App, SMS and
Voice call.
Box 3:
You can configure MFA to be required for administrator accounts only or you can configure MFA for any user account.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted https://docs.microsoft.com/en-us/azure/active-
directory/authentication/concept-authentication-methods
TP333 Highly Voted 1 year, 5 months ago
1st question is kinda confusing, Microsoft MUST address it. It can be YES and NO
upvoted 19 times
MaximeHU 1 year, 4 months ago
indeed
upvoted 1 times
NareshNK Highly Voted 1 year, 6 months ago
The catch is a "must" word used in the question. it is not mandatory to have On-Prem identities to sync for multifactor auth.
upvoted 18 times
gabrisiq Most Recent 2 months,1 weekago
this question appeared on the exam in June 2022.
upvoted 1 times
chungpvv 4 months, 3 weeks ago
I lost this question today . 4/23/22
upvoted 2 times
Ashvinkumar 6 months ago
got it on 14-Mar-22
upvoted 1 times
AnnSoftEng 7 months, 2 weeks ago
confusing question, see below explanation of authentification: Multi-factor Authentication (MFA)
Process of authentication using more than one factor (evidence) to prove identity
Factor types
Knowledge Factor “Something you know”, ex. password, pin
Possession Factor “Something you have”, ex. phone, token, card, key
Physical Characteristic Factor “Something you are”, ex. fingerprint, voice, face, eye iris
Location Factor “Somewhere you are”, ex. GPS location
upvoted 2 times
Ajaykrish 9 months, 2 weeks ago
got it on 29-Nov-2021
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 448/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Azuni 9 months, 3 weeks ago
Igot this question in the exam 22/11/2021
upvoted 3 times
dr_benzin 10 months, 1 week ago
WTF!? If you have on-prem - you should sync AD, if you have no on-prem - the first question has no sense.
upvoted 3 times
hima_hk0410 months, 3 weeks ago
It is not a must to sync on-premises identities to the cloud, as we can use Azure Connect, where we need not sync on-premise identities to
the cloud and also we can use MFA Server on the on-premise, where it communicates with the Azure MFA and in that case need not sync
on-premise identities to azure
upvoted 4 times
tntbb 9 months, 2 weeks ago
No. Prerequisites is to sync on-premise AD.
"Deploy Azure AD Connect and synchronize user identities between the on-premises Active Directory Domain Services (AD DS) and
Azure AD"
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted
upvoted 1 times
hima_hk0410 months, 3 weeks ago
https://social.technet.microsoft.com/wiki/contents/articles/29061.azure-multi-factor-authentication-on-premise.aspx
docs.microsoft.com/answers/questions/10804/mfa-on-premise.html
upvoted 2 times
Jason71 11 months ago
Got this on the 19/10/2021 exam!
upvoted 3 times
fercho 1 year ago
Appeared on 05 Sept 2021. Answers are correct
upvoted 7 times
wendyy1 year ago
1st question is correct. Synchronize user identities between the on-premises AD DS and Azure AD is not the only way. For the On-premises
legacy applications, you need use Azure AD Application Proxy to use MFA.
upvoted 1 times
Ashok160990 1 year ago
Appeared on 21-August-2021
upvoted 1 times
Shw7 1 year, 1 monthago
Appeared on 26-July-2021
upvoted 1 times
Sarahxx 1 year, 1 month ago
appeared 18th July 2021
upvoted 3 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 449/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #271
You need to ensure that when Azure Active Directory (Azure AD) users connect to Azure AD from the Internet by using an anonymous IP address,
the users are prompted automatically to change their password.
Which Azure service should you use?
A. Azure AD Connect Health
B. Azure AD Privileged Identity Management
C. Azure Advanced Threat Protection (ATP)
D. Azure AD Identity Protection
Correct Answer: D
Azure AD Identity Protection includes two risk policies: sign-in risk policy and user risk policy. A sign-in risk represents the probability that a
given authentication request isn't authorized by the identity owner.
There are several types of risk detection. One of them is Anonymous IP Address. This risk detection type indicates sign-ins from an anonymous
IP address (for example, Tor browser or anonymous VPN). These IP addresses are typically used by actors who want to hide their login
telemetry (IP address, location, device, etc.) for potentially malicious intent.
You can configure the sign-in risk policy to require that users change their password.
References:
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-sign-in-risk-policy https://docs.microsoft.com/en-
us/azure/active-directory/identity-protection/concept-identity-protection-risks
Naghea Highly Voted 2 years ago
I passed!
upvoted 133 times
Krupa007 1 year, 9 months ago
Idont hav complete qn's from this link..can u help me by sending complete qn's if uhav or any other pdf..it will be helpful for me..
Hoping for the positive reply :) thanks in advance
upvoted 4 times
nmnm22 1 yearago
i upvote this for good luck
upvoted 28 times
SoniaA Highly Voted 2 years, 3 months ago
D > Azure AD Identity Protection
"Identity Protection is a tool that allows organizations to accomplish three key tasks:
Automate the detection and remediation of identity-based risks.
Investigate risks using data in the portal.
Export risk detection data to third-party utilities for further analysis."
upvoted 28 times
silviogremio Most Recent 2 months,3 weeks ago
Selected Answer: D
The core concept here is "Identity"
upvoted 1 times
silviogremio 3 months ago
Just an information: Microsoft Defender replaced Microsoft ATP
upvoted 1 times
Bruno_DBA 4 months, 2 weeks ago
A resposta é a D, queridos brasileiros
upvoted 2 times
Prabhu2701 8 months, 1 week ago
Selected Answer: D
Dis right
upvoted 1 times
MCLC2021 1 year, 3 months ago
Azure AD Identity Protection: Identity Protection is a tool that allows organizations to accomplish three key tasks:
Automate the detection and remediation of identity-based risks.
Investigate risks using data in the portal.
Export risk detection data to third-party utilities for further analysis.
Identity Protection identifies risks in the following classifications:
Anonymous IP address --> Sign in from an anonymous IP address (for example: Tor browser, anonymizer VPNs).
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection
upvoted 2 times
Gerardo1971 1 year, 4 months ago
Correct answer
upvoted 1 times
SilkyS19 1 year, 4 months ago
Dis correct.
Identity protection detect potential vulnerabilities affecting your organization's identities, configure policies to respond to suspicious
actions, and then take appropriate action to resolve them.
upvoted 1 times
sumitraj04 1 year, 5 months ago
Correct
upvoted 1 times
whatsinausername 1 year, 6 months ago
Dis correct
upvoted 1 times
Sandeeptp 1 year, 6 months ago
Dis right
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 450/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
jd2 1 year, 6 monthsago
There's something called conditional access, it's new and we might see it in newer exam versions
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview
upvoted 2 times
panal 1 year, 6 months ago
Corret
upvoted 1 times
H1205 1 year, 7 months ago
Answer is Privileged Identity Management (PIM), as it can restrict/control access to threats but Identity Protection informs incase of any
issues
upvoted 1 times
Franco11 1 year, 7 months ago
This Should be conditional authentication ? anyone ?
upvoted 1 times
Ritz40 1 year, 8 months ago
Dis the right answer.
upvoted 2 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 451/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #272
DRAG DROP -
Match the term to the correct definition.
Instructions: To answer, drag the appropriate term from the column on the left to its description on the right. Each term may be used once, more
than once, or not at all.
NOTE: Each correct match is worth one point.
Select and Place:
Correct Answer:
Box 1: ISO -
ISO is the International Organization for Standardization. Companies can be certified to ISO standards, for example ISO 9001 or 27001 are
commonly used in IT companies.
Box 2: NIST -
The National Institute of Standards and Technology (NIST) is a physical sciences laboratory, and a non-regulatory agency of the United States
Department of
Commerce.
Box 3: GDPR -
GDPR is the General Data Protection Regulations. This standard was adopted across Europe in May 2018 and replaces thenow deprecated Data
Protection
Directive.
The General Data Protection Regulation (EU) (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the
European
Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to
individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the
EU.
Box 4: Azure Government -
US government agencies or their partners interested in cloud services that meet government security and compliance requirements, can be
confident that
Microsoft Azure Government provides world-class security, protection, and compliance services. Azure Government delivers a dedicated cloud
enabling government agencies and their partners to transform mission-critical workloads to the cloud. Azure Government services handle data
that is subject to certain government regulations and requirements, such as FedRAMP, NIST 800.171 (DIB), ITAR, IRS 1075, DoD L4, and CJIS. In
order to provide you with the highest level of security and compliance, Azure Government uses physically isolated datacenters and networks
(located in U.S. only).
References:
https://en.wikipedia.org/wiki/National_Institute_of_Standards_and_Technology
https://en.wikipedia.org/wiki/General_Data_Protection_Regulation https://docs.microsoft.com/en-us/azure/azure-government/documentation-
government-welcome
Judah Highly Voted 1 year, 4 months ago
That's right.
upvoted 13 times
SumanthB Most Recent 1 month,3 weeksago
Correct!
upvoted 1 times
ucee 10 months,4 weeks ago
Correct
upvoted 3 times
ccalvarezp 1 year, 2 months ago
de acuerdo
upvoted 4 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 452/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Sangmeshwar 1 year, 4 months ago
Correct
upvoted 3 times
panal 1 year, 6 months ago
correct
upvoted 2 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 453/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #273
To what should an application connect to retrieve security tokens?
A. an Azure Storage account
B. Azure Active Directory (Azure AD)
C. a certificate store
D. an Azure key vault
Correct Answer: D
Key Vault is designed to store configuration secrets for server apps.
Incorrect Answers:
A: An Azure Storage account is used to store data. It is not used to store secrets for applications.
B: Azure Active Directory (Azure AD) is a centralized identity provider in the cloud that authenticates users and provides access tokens to them.
It is not used for applications.
Reference:
https://docs.microsoft.com/en-us/learn/modules/manage-secrets-with-azure-key-vault/2-what-is-key-vault https://docs.microsoft.com/en-
us/azure/key-vault/key-vault-overview
vanr2000 Highly Voted 3 years, 1 month ago
It should be D, instead of B. Azure key vault keep Security Tokens
https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis
upvoted 169 times
JasonB 3 years ago
Not Agree
The Azure Key Vault store Keys.
Azure AD give acces tokens.
upvoted 139 times
Berg 2 years, 7 monthsago
KeyVault can also store tokens.
"Azure Key Vault can be used to Securely store and tightly control access to tokens, passwords, certificates, API keys, and other
secrets"
https://docs.microsoft.com/en-us/azure/key-vault/key-vault-overview
upvoted 19 times
Stuudent 1 year, 11 months ago
You may store the token in a vault but I don't think apps will be able to connect to it to retrieve the token in order to
access anything. For that you need an OpenID Connect flow (for example) which involves AD:
https://docs.microsoft.com/en-us/azure/active-directory/develop/security-tokens
and then:
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc
upvoted 5 times
dani6666 2 years, 6 months ago
AKV store ACCESS TO tokens (so the keys), not tokens itself
upvoted 11 times
zizonesol 4 months, 4 weeks ago
Iam seeing storage in the link by Berg.
"Azure Key Vault can be used to Securely STORE and tightly control access to tokens, passwords, certificates, API keys, and
other secrets"
upvoted 1 times
exam_taker5 3 years, 1 month ago
agreed
upvoted 8 times
Sisb 7 months,4 weeks ago
Dtoken , API key are in key Vault.
upvoted 1 times
TexTheDog1 year, 4 months ago
IT IS B: The link below states that tokens comes from Azure AD
https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad-app?tabs=dotnet
upvoted 12 times
RTT1976 Highly Voted 2 years, 10 months ago
The answer B is correct, because it asks what "an application should connect to".
An Application cannot connect to a Key Vault.
upvoted 61 times
richardsonbq 2 years, 10 months ago
Actually, the Key Vault can be accessed by an Application to retrieve secure information. So I'm not sure if AD is the only right answer
here...
upvoted 8 times
richardsonbq 2 years, 10 months ago
But in the context of the answer, I believe AD is more appropriate as per https://docs.microsoft.com/en-us/azure/active-
directory/develop/authentication-scenarios#security-tokens
upvoted 5 times
onincasimiro 1 year, 3 months ago
Totally agree with you richardsonbq :)
upvoted 1 times
vsivas 2 years, 9 months ago
https://docs.microsoft.com/bs-latn-ba/azure/active-directory-b2c/active-directory-b2c-apps AD is correct
upvoted 2 times
onincasimiro 1 year, 3 months ago
Finally! :) Absolutely agree
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 454/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
sssfasih Most Recent 1 month ago
Azure AD , option B is correct:
https://stackoverflow.com/questions/68135841/az-900-to-what-should-an-application-connect-to-retrieve-security-tokens
upvoted 1 times
Rinaz 1 month,3 weeks ago
Please note that the question asks us "To retrieve security tokens". You might be thinking about Azure Key Vaults here. A service such as
Azure Key Vault can keep security token, however to access/retrieve something from the Key Vault , we need to be authenticated to
retrieve them. To authenticate, we can use "managed identity" that gives Azure services an automatically managed identity in Azure AD.
So the answer is Azure AD. Remember that Azure AD provides access tokens. Azure Key vault is used to securely store passwords, secrets,
certificates and tokens.
upvoted 3 times
liza1234 2 months, 2 weeks ago
When an application retrieves secret from the key vault, AD will authenticate the application.
When proven authentic, afterwards, AD will retrieve the policy associated with the application to determine the level of authorization the
apps is allowed to do on azure resources.
AD will give the Authorization in the form of Security Token to the apps.
The apps will present the token to the Key Vault if it needs access to the Secrets.
If the apps is authorized to do that API call, the Key vault will give the secret values.
If it is not, The Key Vault will not give the secret value and will release a notification API saying an unauthorized request access has been
made to it.
At least this is my understanding.
So the answer B is correct for me.
upvoted 1 times
silviogremio 2 months, 3 weeks ago
Selected Answer: B
If you read about Tokens, think in Azure AD
upvoted 1 times
kapy024 2 months,3 weeks ago
https://docs.microsoft.com/en-us/azure/active-directory/develop/app-sign-in-flow
The answer is correct. Azure AD
upvoted 1 times
EVE12 4 months, 2 weeks ago
Selected Answer: B
https://docs.microsoft.com/en-us/azure/key-vault/media/authentication/authentication-flow.png
upvoted 1 times
droopydog 5 months, 2 weeks ago
Selected Answer: B
Answer
upvoted 2 times
droopydog 5 months,2 weeks ago
Selected Answer: D
API key are in key Vault
upvoted 2 times
frych 5 months, 2 weeks ago
correct is D. Azure key vault (Application) not B. Azure AD (Users)
upvoted 1 times
Pims 5 months, 3 weeks ago
agreed with Roberto: D is correct. AAD generates the token and App stores the token in Azure Key Vault. The app can later retrieve the
token from Key Vault without accessing Azure.
https://docs.microsoft.com/en-us/azure/key-vault/media/authentication/authentication-flow.png
upvoted 1 times
babufrik 6 months, 1 week ago
From my point of view, and regarding of this información (read below), the correct answer is (D) Azure Key Vault.
From Microsoft Azure:
Because Azure AD identities can be granted access to use Azure Key Vault secrets, applications with managed service identities enabled
can automatically and seamlessly acquire the secrets they need.
Azure Key Vault is a centralized cloud service for storing your application secrets. Key Vault helps you control your applications’ secrets by
keeping them in a single, central location and by providing secure access, permissions control, and access logging capabilities.
upvoted 1 times
babufrik 6 months, 1 week ago
From my point of view, and regarding of this información (read below), the correct answer is (B) Azure AD.
From Microsoft Azure:
Because Azure AD identities can be granted access to use Azure Key Vault secrets, applications with managed service identities enabled
can automatically and seamlessly acquire the secrets they need.
Azure Key Vault is a centralized cloud service for storing your application secrets. Key Vault helps you control your applications’ secrets by
keeping them in a single, central location and by providing secure access, permissions control, and access logging capabilities.
upvoted 1 times
babufrik 6 months, 1 week ago
Please, do not consider this. Correct answer is (D) Azure Key Vault.
A mistake in the first line
upvoted 1 times
Nishkurup 6 months, 2 weeks ago
Selected Answer: B
https://docs.microsoft.com/en-us/azure/active-directory/develop/security-tokens
upvoted 2 times
Archna141990 6 months, 2 weeks ago
Secrets Management - Azure Key Vault can be used to Securely store and tightly control access to tokens, passwords, certificates, API keys,
and other secrets
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 455/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Key Management - Azure Key Vault can be used as a Key Management solution. Azure Key Vault makes it easy to create and control the
encryption keys used to encrypt your data.
Certificate Management - Azure Key Vault lets you easily provision, manage, and deploy public and private Transport Layer
Security/Secure Sockets Layer (TLS/SSL) certificates for use with Azure and your internal connected resources.
https://docs.microsoft.com/en-us/azure/key-vault/general/overview
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 456/598
nonaldo91 6 months, 3 weeks ago
I just took the Exam and wasn't sure but went on Microsoft Docs website and got this statement and it was correct on my exam.
Instead, you can request an OAuth 2.0 access token from the Microsoft identity platform. Azure AD authenticates the security principal (a
user, group, or service principal) running the application. If authentication succeeds, Azure AD returns the access token to the application,
and the application can then use the access token to authorize requests to Azure Blob storage or Queue storage.
https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad-app?tabs=dotnet
upvoted 1 times
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #274
Your network contains an Active Directory forest. The forest contains 5,000 user accounts.
Your company plans to migrate all network resources to Azure and to decommission the on-premises data center.
You need to recommend a solution to minimize the impact on users after the planned migration.
What should you recommend?
A. Implement Azure Multi-Factor Authentication (MFA)
B. Sync all the Active Directory user accounts to Azure Active Directory (Azure AD)
C. Instruct all users to change their password
D. Create a guest user account in Azure Active Directory (Azure AD) for each user
Correct Answer: B
To migrate to Azure and decommission the on-premises data center, you would need to create the 5,000 user accounts in Azure Active
Directory. The easy way to do this is to sync all the Active Directory user accounts to Azure Active Directory (Azure AD). You can even sync their
passwords to further minimize the impact on users.
The tool you would use to sync the accounts is Azure AD Connect. The Azure Active Directory Connect synchronization services (Azure AD
Connect sync) is a main component of Azure AD Connect. It takes care of all the operations that are related to synchronize identity data
between your on-premises environment and
Azure AD.
References:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-whatis
Ragijo Highly Voted 2 years, 10 months ago
MFA is to use your phone or a secondary phase of authentication.
You need to move users to Azure not reset their passwords, so Instruct all users to change their password is invalid.
Create a guest user account in Azure Active Directory (Azure AD) for each user, if you do that, is like creating a new user to the existing
user, so the identities will be different.
The answer is B. Sync all the Active Directory user accounts to Azure Active Directory (Azure AD) using AAD Connect or importing the users
from AD DS.
upvoted 95 times
shashu07 1 year, 10 months ago
Excellent Explaination
upvoted 1 times
axman832005 Highly Voted 2 years, 8 months ago
this was on the test
upvoted 33 times
ultraOriginalVillain 2 years, 5 months ago
thank you.
upvoted 2 times
BShelat Most Recent 5 months, 1 weekago
Option B makes sense for the scenario while on premise assets are migrating to Azure. To make life easy during migration you want to
sync user credentials on premise to Azure AD. But "after migration" you do not even want to have Azure AD connect exists since you are
already done with migration and so option B does NOT make sense for the scenario for the "after migration" environment. MFA would
make life easy once on premise assets are migrated to cloud. So I would go with Option A considering the words "After migration". What
do you say guys?
upvoted 1 times
[Removed] 12 months ago
Answer B is correct. But you do not sync a password, you sync a hash of a password. That is the password is stored in local Windows AD as
a hash, then a salt value is added (a number), and this construct is hashed 1000 times. For a user in practical terms the password is
synced, but for us Europeans no local password is stored in Azure AD.
upvoted 2 times
dim97 1 year, 1 month ago
Forest?
upvoted 1 times
furymistrz 3 months ago
If you have LDAP "tree", you can also have "forest" :D
upvoted 1 times
Shw7 1 year, 1 monthago
Appeared on 26-July-2021
upvoted 1 times
Splay 1 year, 2 monthsago
Appeared 28/06/21
upvoted 2 times
Gerardo1971 1 year, 4 months ago
Correct answer
upvoted 1 times
nickname_200 1 year, 5 months ago
Igot it on the exam
upvoted 2 times
panal 1 year, 6 months ago
Correct
upvoted 1 times
Joe75 1 year, 7 months ago
If there was a choice of "AAD DS", that would be better.
upvoted 1 times
Beros 1 year, 7 months ago
The Azure Active Directory Connect synchronization services (Azure AD Connect sync) is a main component of Azure AD Connect. It takes
care of all the operations that are related to synchronize identity data between your on-premises environment and Azure AD.
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 457/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-whatis
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 458/598
bifeye8205 1 year, 8 months ago
Its synch using Azure AD connect
upvoted 1 times
Buruguduystunstugudunstuy 1 year, 9 months ago
B. Sync all the Active Directory user accounts to Azure Active Directory (Azure AD)
upvoted 1 times
[Removed]1 year, 9 months ago
I've just done the exam and passed with 840!!! Most of the questions are from here!!!
upvoted 4 times
Krishna_Agrawal 1 year, 10 months ago
Yes correct
upvoted 1 times
Ebenezer 1 year, 10 months ago
This answer is right!!!
upvoted 1 times
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #275
HOTSPOT -
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: Yes -
You can send Azure AD activity logs to Azure Monitor logs to enable rich visualizations, monitoring and alerting on the connected data.
All data collected by Azure Monitor fits into one of two fundamental types, metrics and logs (including Azure AD activity logs). Activity logs
record when resources are created or modified. Metrics tell you how the resource is performing and the resources that it's consuming.
Box 2: Yes -
Azure Monitor can consolidate log entries from multiple Azure resources, subscriptions, and tenants into one location for analysis together.
Box 3: Yes -
You can create alerts in Azure Monitor.
Alerts in Azure Monitor proactively notify you of critical conditions and potentially attempt to take corrective action. Alert rules based on
metrics provide near real time alerting based on numeric values, while rules based on logs allow for complex logic across data from multiple
sources.
References:
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor
https://docs.microsoft.com/en-us/azure/azure-monitor/overview
Veronika1989 Highly Voted 1 year, 6 months ago
Correct! I have re-checked 2nd question from the portal and it is possible to monitor 2 subs at the same time.
upvoted 21 times
raedon 3 months, 3 weeks ago
thanks
upvoted 1 times
makco10 11 months, 4 weeks ago
Thanks!
upvoted 1 times
Anil7177 Most Recent 6 months ago
Got this on 3/13/2022
upvoted 4 times
MS_Learner 7 months, 1 week ago
Got Feb 10, 2022
upvoted 1 times
Tarfa 9 months ago
appear 16Dec21
upvoted 3 times
Natei 9 months, 4 weeks ago
Studied this resource and passed the exam today (850). Helpful resource.
upvoted 4 times
easygo68 10 months, 1 week ago
Be asked in the 11.11.2021 exam!
upvoted 3 times
Saravana12g 1 year, 3 months ago
Question2: Answer is Yes - Explained
a. Azure Monitor Logs is a feature of Azure Monitor that collects and organizes log and performance data from monitored resources.
Reference: https://docs.microsoft.com/en-us/azure/azure-monitor/logs/data-platform-logs
b. Send resource logs to aLog Analytics workspace to enable the features of Azure Monitor Logs which includes the following:
----Consolidate log entries from multiple Azure resources, subscriptions, and tenants into one location for analysis together.
Reference: https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/resource-logs
upvoted 4 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 459/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Gerardo1971 1 year, 4 months ago
Correct answer
upvoted 3 times
hercu 1 year, 6 months ago
Box 1 & 3 - Correct!
Box 2 is also Correct - Yes!
"A single Log Analytics workspace can monitor resources in all of your subscriptions as long as they are under the same Tenant."
Reference: https://techcommunity.microsoft.com/t5/azure-monitor/log-analytics-workspace-with-multiple-subscription/m-p/324805
upvoted 2 times
Sandy14nove 1 year, 6 months ago
The second should be NO
Azure Monitor can be configured to monitor any Resource with any Conditions that you want, but when you save the monitor alert rule it
is saved as an object in the same subscription that is selected when you choose the resource that you are monitoring.
upvoted 1 times
breton 1 year, 6 months ago
The second should be No
upvoted 1 times
panal 1 year, 6 months ago
Correct
upvoted 1 times
hf443 1 year, 7 months ago
I think second question should be No. https://techcommunity.microsoft.com/t5/azure-monitor/azure-monitor-multiple-subscriptions/m-
p/1348362
upvoted 2 times
hf443 1 year, 7 months ago
Having doubts now. According to https://docs.microsoft.com/en-us/azure/azure-monitor/platform/resource-logs. "Consolidate log
entries from multiple Azure resources, subscriptions, and tenants into one location for analysis together."
upvoted 3 times
TakumaK1 year, 6 months ago
Thanks for the link to figure out the answer. Azure Monitor Logs is a feature of Azure Monitor. And Azure Monitor Logs consolidate
log entries from multiple Azure resources, subscriptions, and tenants into one location for analysis together. This might lead the
answer is Yes.
upvoted 4 times
Shivaram_i 1 year, 7 months ago
I think Answer is correct.
https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/cross-workspace-query
upvoted 3 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 460/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #276
HOTSPOT -
You create a resource group named RG1 in Azure Resource Manager.
You need to prevent the accidental deletion of the resources in RG1.
Which setting should you use? To answer, select the appropriate setting in the answer area.
Hot Area:
Correct Answer:
You can configure a lock on a resource group to prevent the accidental deletion.
As an administrator, you may need to lock a subscription, resource group, or resource to prevent other users in your organization from
accidentally deleting or modifying critical resources. You can set the lock level to CanNotDelete or ReadOnly. In the portal, the locks are called
Delete and Read-only respectively.
CanNotDelete means authorized users can still read and modify a resource, but they can't delete the resource.
ReadOnly means authorized users can read a resource, but they can't delete or update the resource. Applying this lock is similar to restricting
all authorized users to the permissions granted by the Reader role.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-lock-resources
Abdelbaki Highly Voted 7 months, 2 weeks ago
Correct
upvoted 6 times
CodePro Most Recent 5 months, 1 weekago
Correct
upvoted 1 times
tacobear 6 months ago
it was on exam on 03/12/2022.
upvoted 1 times
iedodo 6 months,1 weekago
Azure resources locks are designed to prevent accidental deletion and/or modification. Locks are used in conjunction with RBAc
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 461/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #277
You have a resource group named RG1.
You need to prevent the creation of virtual machines in RG1. The solution must ensure that other objects can be created in RG1.
What should you use?
A. a lock
B. an Azure role
C. a tag
D. an Azure policy
Correct Answer: D
Azure policies can be used to define requirements for resource properties during deployment and for already existing resources. Azure Policy
controls properties such as the types or locations of resources.
Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over
your resources, so those resources stay compliant with your corporate standards and service level agreements.
In this question, we would create an Azure policy assigned to the resource group that denies the creation of virtual machines in the resource
group.
You could place a read-only lock on the resource group. However, that would prevent the creation of any resources in the resource group, not
virtual machines only. Therefore, an Azure Policy is a better solution.
Reference:
https://docs.microsoft.com/en-us/azure/governance/policy/overview
Stez Highly Voted 1 year, 4 monthsago
Correct. D
upvoted 7 times
silviogremio Most Recent 2 months,3 weeks ago
Selected Answer: D
Core Point is, Azure Policy enforces compliance to new and already existing resources.
upvoted 1 times
LingW 5 months ago
Got it on 2022/4/18 exam
upvoted 3 times
tacobear 6 months ago
it was on exam on 03/12/2022.
upvoted 2 times
TheKraemer 8 months ago
Correct and good explenation!
upvoted 1 times
diogoweb 1 year ago
Got it on 06-09-2021
upvoted 1 times
wawa31 year, 3 months ago
appeared on 2021 05 23 exam
upvoted 4 times
CarlosBarrero 1 year, 6 months ago
correct
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 462/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #278
You have an Azure subscription and 100 Windows 10 devices.
You need to ensure that only users whose devices have the latest security patches installed can access Azure Active Directory (Azure AD)-
integrated applications.
What should you implement?
A. a conditional access policy
B. Azure Bastion
C. Azure Firewall
D. Azure Policy
Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policies
kharakbeer Highly Voted 1 year ago
Bla Bla bla
upvoted 6 times
MomoLomo 1 year ago
eh y3m
upvoted 2 times
MS_Learner Most Recent 7 months, 1 weekago
Got Feb 10, 2022
upvoted 2 times
lovecloud2 9 months, 1 weekago
Can easily be done with Azure Intune Conditional access policy.
upvoted 2 times
akrben 10 months, 3 weeks ago
this answer is correct
upvoted 2 times
TTAKU 11 months, 2 weeks ago
Conditional Access Policy is correct answer
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview
upvoted 4 times
MIAIM78 11 months, 3 weeks ago
Ture that
upvoted 1 times
Pabs_QT 1 year ago
when configuring CAP, you can enable checking if the device is compliant - Just saying :)
upvoted 3 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 463/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #279
What can Azure Information Protection encrypt?
A. network traffic
B. documents and email messages
C. an Azure Storage account
D. an Azure SQL database
Correct Answer: B
Azure Information Protection can encrypt documents and emails.
Azure Information Protection is a cloud-based solution that helps an organization to classify and optionally, protect its documents and emails
by applying labels.
Labels can be applied automatically by administrators who define rules and conditions, manually by users, or a combination where users are
given recommendations.
The protection technology uses Azure Rights Management (often abbreviated to Azure RMS). This technology is integrated with other Microsoft
cloud services and applications, such as Office 365 and Azure Active Directory.
This protection technology uses encryption, identity, and authorization policies. Similarly to the labels that are applied, protection that is applied
by using Rights
Management stays with the documents and emails, independently of the location ג€" inside or outside your organization, networks, file servers,
and applications.
References:
https://docs.microsoft.com/en-us/azure/information-protection/what-is-information-protection https://docs.microsoft.com/en-
us/azure/information-protection/quickstart-label-dnf-protectedemail
Sandy4912 Highly Voted 2 years, 2 months ago
Azure Information Protection (sometimes referred to as AIP) is a cloud-based solution that helps an organization to classify and
optionally, protect its documents and emails by applying labels. Labels can be applied automatically by administrators who define rules
and conditions, manually by users, or a combination where users are given recommendations.
Ref : https://docs.microsoft.com/en-us/azure/information-protection/what-is-information-protection
upvoted 34 times
MoSiyed Highly Voted 2 years,3 months ago
this came on the test
upvoted 19 times
lazslo78 Most Recent 1 week, 3 days ago
This question should be retired or updated :
Azure Information Protection (AIP) is part of Microsoft Purview Information Protection (formerly Microsoft Information Protection or MIP)
upvoted 1 times
SIAMIANJI 2 months, 2 weeks ago
Selected Answer: B
Bis correct.
upvoted 2 times
bogdanmaceasa 9 months, 2 weeks ago
Iam studying for the exam from the Microsoft Learning path: https://docs.microsoft.com/en-us/learn/paths/az-900-describe-cloud-
concepts/
I did not come across this topic in the materials there. This is not a singular case...quire infuriating.
upvoted 3 times
vabna191 year, 6 months ago
bis correct
upvoted 1 times
panal 1 year, 6 months ago
Correct
upvoted 2 times
chinnilax 1 year, 8 months ago
B, a straight question
upvoted 1 times
fabras 1 year, 9 months ago
b correct. https://docs.microsoft.com/en-us/azure/information-protection/what-is-information-protection
upvoted 2 times
MK1368 2 years ago
Bis correct
upvoted 1 times
Cloudyuga 2 years, 3 months ago
yes its B
upvoted 2 times
axman832005 2 years, 8 monthsago
b - def on the test
upvoted 5 times
GKK 2 years, 8 months ago
B - IRM
upvoted 2 times
success101 2 years, 8 months ago
Bis correct
upvoted 10 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 464/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #280
What should you use to evaluate whether your company's Azure environment meets regulatory requirements?
A. the Knowledge Center website
B. the Advisor blade from the Azure portal
C. Compliance Manager from the Service Trust Portal
D. the Solutions blade from the Azure portal
Correct Answer: C
Compliance Manager in the Service Trust Portal is a workflow-based risk assessment tool that helps you track, assign, and verify your
organization's regulatory compliance activities related to Microsoft Cloud services, such as Microsoft 365, Dynamics 365, and Azure.
Reference:
https://docs.microsoft.com/en-us/microsoft-365/compliance/get-started-with-service-trust-portal?view=o365-worldwide
mojoi Highly Voted 1 year, 4 months ago
Compliance Manager has moved from the Service Trust Portal to its new location in the Microsoft 365 compliance center
https://docs.microsoft.com/en-us/microsoft-365/compliance/get-started-with-service-trust-portal?view=o365-worldwide
upvoted 21 times
ckit 1 year, 1 monthago
Yes, Compliance Manager is no longer part of Service Trust. You can access it from Azure Portal.
upvoted 1 times
ExamGuy01 1 year, 1 month ago
can't find it in Azure portal, only trough Microsoft 365 compliance center stp link
upvoted 2 times
silviogremio Most Recent 3 months ago
Microsoft 365 compliance is now called Microsoft Purview
Please, check it out: https://docs.microsoft.com/en-us/microsoft-365/compliance/get-started-with-service-trust-portal?view=o365-
worldwide
upvoted 4 times
b0nb0n1001 2 months, 2 weeks ago
Yes correct, try to visit the latest updates on the link...
upvoted 2 times
wanchihh2 months, 1 week ago
Omg... Service Trust Portal -> Microsoft 365 Compliance Center -> Microsoft Purview. Can Microsoft stop renaming and moving stuff
whenever the wind blows?
upvoted 1 times
Aznerd 3 months, 4 weeks ago
So what is the correct ans?
Cor D?
upvoted 2 times
rafahb 5 months ago
Correct answers is D
upvoted 1 times
tomfong 8 months ago
Compliance Manager or Security Center?
upvoted 1 times
iedodo 6 months, 1 week ago
Same question, is a bit confusing. But since that option is not available Trust Portal will do, I guess.
upvoted 1 times
Ralph_26 9 months, 4 weeks ago
Correct answer should be D.
upvoted 2 times
PMO55 10 months, 1 week ago
In MS documentation and learning path, even if the online training sustained by Microsoft they sustain it is part of Trust center...
upvoted 1 times
akrben 10 months,3 weeks ago
correct
upvoted 2 times
mpooja 1 year, 3 monthsago
Appeared in 05 - Jun -21 Exam
upvoted 4 times
lollo1234 1 year, 3 months ago
Asked during exam on 21 May 2021.
upvoted 2 times
panal 1 year, 6 months ago
Correct
upvoted 2 times
smcm 1 year, 7 monthsago
Correct
upvoted 2 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 465/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #281
HOTSPOT -
To complete the sentence, select the appropriate option in the answer area.
Hot Area:
Correct Answer:
Ajaykrish 9 months, 2 weeks ago
got it on 29-Nov-2021
upvoted 1 times
Jason71 11 months ago
Got this on the 19/10/2021 exam!
upvoted 1 times
Roy_zuniga11 months, 1 week ago
Easy one.
upvoted 1 times
vinc855 11 months, 2 weeks ago
Correct
upvoted 1 times
fercho 1 year ago
Appeared on 05 Sept 2021
upvoted 4 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 466/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #282
You have an Azure subscription.
Where will you find details on the personal data collected by Microsoft, how Microsoft uses the data, and what the data is used for?
A. the Data Protection Addendum
B. the Microsoft Online Services Terms
C. the Microsoft Privacy Statement
D. Azure Security Center
Correct Answer: C
The Microsoft Privacy Statement explains the personal data Microsoft processes, how Microsoft processes it, and for what purposes. Your
applicable Services
Agreement or the Preview Supplemental Terms may specify lesser or different privacy measures for some Preview services.
Reference:
https://azure.microsoft.com/en-us/support/legal/
Johnphealipto Highly Voted 11 months, 2 weeks ago
Hint:
Personal Data = Privacy
upvoted 12 times
iccbsports 8 months, 2 weeks ago
(P)ersonal Data = (P)rivacy
upvoted 1 times
Bruno_DBA Most Recent 4 months, 1 weekago
Very izi.
upvoted 1 times
TitoChuz 4 months, 3 weeks ago
The Online Services Data Protection Addendum (“DPA”) sets forth your and Microsoft’s obligations with respect to the processing and
security of Customer Data and Personal Data in connection with Azure.
The Online Services Privacy and Security Terms section of the Product Terms site further sets forth exclusions from the DPA as well as
additional commitments for Core Online Services.
The Microsoft Trust Center provides more information on security, privacy, and compliance topics for customers of Azure and other
Microsoft Online Services.
The Service Trust Portal (STP) is a companion feature to the Trust Center that provides access to audit reports, GDPR documentation,
compliance guides, and related documents that provide more detailed information on how Microsoft helps protect your data.
https://azure.microsoft.com/en-
us/support/legal/#:~:text=Data%20Protection%20The%20Online%20Services%20Data%20Protection%20Addendum,Data%20and%20Perso
nal%20Data%20in%20connection%20with%20Azure.
Im torn between A and C, not really sure on one or another.
upvoted 1 times
Ajaykrish 9 months, 2 weeks ago
got it on 29-Nov-2021
upvoted 1 times
Azuni 9 months, 3 weeks ago
Igot this question in the exam 22/11/2021
upvoted 1 times
Algasibiur 10 months, 2 weeks ago
The terms formerly contained in the “Online Services Terms” have been moved into the “Product Terms” and no longer exist as
standalone terms.
https://www.microsoft.com/en-us/licensing/product-licensing/products
upvoted 2 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 467/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #283
HOTSPOT -
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis https://docs.microsoft.com/en-
us/azure/active-directory/manage-apps/what-is-single-sign-on https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-
azure-ad-register
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 468/598
frych 5 months, 2 weeks ago
Y - https://docs.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy
Y
Y
upvoted 4 times
joergsi 7 months, 4 weeks ago
About Q1, this can be achieved with an Azure AD Application Proxy:
https://docs.microsoft.com/en-us/azure/active-directory/app-proxy/application-
proxy#:~:text=Application%20Proxy%20is%20a%20feature,on%20an%20on%2Dpremises%20server.
upvoted 2 times
mmmmmnm 8 months, 4 weeks ago
The first one should be NO.
Only AAD cannot manage the on-premises.
upvoted 1 times
anass1992 8 months, 3 weeks ago
It should be YES: Which features work in Azure AD? > Application management > "Manage your cloud and on-premises apps using
Application Proxy, single sign-on, the My Apps portal (also known as the Access panel), and Software as a Service (SaaS) apps".
Link: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis
upvoted 3 times
bipsta 8 months, 1 week ago
Agreed...should be yes. https://docs.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy
upvoted 1 times
Azuni 9 months, 3 weeks ago
Igot this question in the exam 22/11/2021
upvoted 1 times
akrben 10 months, 3 weeks ago
the azure ad user cannot login to aon premise infrastructure because the user can only sync from ad to azure ad the reponse is nyy
upvoted 3 times
iphone99 11 months ago
What do you mean?
upvoted 3 times
Mev4953 11 months, 3 weeks ago
Q3 yes
Windows 10, iOS, Android, and macOS
upvoted 3 times
wzlwit 11 months ago
it seems to conflict with Q203.
upvoted 2 times
wzlwit 11 months ago
it's right, no conflict with Q203
upvoted 3 times
Mozbius_ 9 months, 2 weeks ago
3is a trick question where the word JOINED and REGISTERED changes everything!
https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-register
https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
upvoted 7 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 469/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #284
HOTSPOT -
To complete the sentence, select the appropriate option in the answer area.
Hot Area:
Correct Answer:
The VNet will be marked as 'Non-compliant' when the policy is assigned. However, it will not be deleted and will continue to function normally.
Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over
your resources, so those resources stay compliant with your corporate standards and service level agreements.
If there are any existing resources that aren't compliant with a new policy assignment, they appear under Non-compliant resources.
Reference:
https://docs.microsoft.com/en-us/azure/governance/policy/overview https://docs.microsoft.com/en-us/azure/governance/policy/assign-
policy-portal
fabzo Highly Voted 1 year, 2 months ago
You need to know this for the AZ 900 exam, wow
upvoted 38 times
adamleemlx 9 months ago
this is beyond amazing to have this question on AZ 900
upvoted 4 times
SimonR2 Highly Voted 1 year, 5 monthsago
I remember reading something on thinkers it said it.would continue to function normally but would flag the resource for non compliance
with the policy. Answer is correct.
upvoted 7 times
SimonR2 1 year, 5 months ago
Sorry autocorrect! *Reading something on this and it said it would...*
upvoted 1 times
Vish1000 Most Recent 4 months, 4 weeks ago
Correct anwser - azure policy does have remediation tasks with some policies but Azure will not remove the resource here. It will just be
flagged for non-compliance and as per the shared responsibility model, our account our responsibility.
upvoted 2 times
Georgess 10 months, 3 weeks ago
The following are the times or events that cause a resource to be evaluated:
-A resource is created, updated, or deleted in a scope with a policy assignment.
-A policy or initiative is newly assigned to a scope.
-A policy or initiative already assigned to a scope is updated.
-During the standard compliance evaluation cycle, which occurs once every 24 hours.
(https://docs.microsoft.com/en-us/azure/governance/policy/overview)
(Doesn't count too much for this question but is good information)
upvoted 5 times
KamleshLad89 1 year ago
This is correct answer.
upvoted 1 times
Gerardo1971 1 year, 4 months ago
Correct answer
upvoted 5 times
despair1990 1 year, 6 months ago
I also have the feeling it should be read only...
upvoted 1 times
KTrout 1 year, 6 months ago
Isn't this one Read Only Object vs continues to function normally?
upvoted 2 times
KTrout 1 year, 6 months ago
I appreciate you all getting back to me. Awesome site.
upvoted 3 times
GreenyErin1 year, 6 months ago
I've tried to find anything on the subject, but the only thing MS writes is that the resource becomes non-compliant - they don't mention
any 'read only" or other changes that can happen to the resource. So I would assume the correct answer should be "function
normally", but it's on the base of no other evidence rather than any solid source.
upvoted 10 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 470/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
vajeje 1 year, 6 months ago
Your answer is correct. The RSG will get the status non-compliant. Unless you specify a remediation in the policy, the current
configuration will not get altered.
upvoted 5 times
Topic 1
Question #285
HOTSPOT -
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Reference:
https://www.microsoft.com/en-us/trust-center
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 471/598
HHHo 4 months,4 weeks ago
Got this in exam on 2022.04.18
upvoted 1 times
David1990 5 months ago
Is security centre part of trust centre ? anyone can help?
upvoted 1 times
techgirl77 8 months, 2 weeks ago
why is the second one [No]?
upvoted 2 times
atvandenbosch 8 months,1 weekago
Because it's a public facing website portal. https://www.microsoft.com/en-us/trust-center
upvoted 2 times
mmarinov 8 months, 3 weeks ago
It seems correct.
upvoted 2 times
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #286
HOTSPOT -
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: Yes -
You use Azure Policy to enforce tagging rules and conventions.
Box 2: Yes -
Each resource or resource group can have a maximum of 50 tags.
Box 3: No -
Tags applied to the resource group or subscription aren't inherited by the resources.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-policies https://docs.microsoft.com/en-
us/azure/governance/policy/tutorials/govern-tags https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-
resources
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 472/598
lazslo78 1 week, 3 days ago
Anwer is correct.
Go to azure policy and you will that you can add Tags
upvoted 1 times
iedodo 6 months, 1 weekago
NYN, Azure policy enforces tags since they're not inherited ..correct me if I'm wrong
upvoted 1 times
mafermv 7 months, 1 week ago
Q1: YES.
You use Azure Policy to enforce tagging rules and conventions. By creating a policy, you avoid the scenario of resources being deployed to
your subscription that don't have the expected tags for your organization. Instead of manually applying tags or searching for resources
that aren't compliant, you create a policy that automatically applies the needed tags during deployment. Tags can also now be applied to
existing resources with the new Modify effect and a remediation task. The following section shows example policy definitions for tags.
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-policies#
upvoted 4 times
Pass4IT 6 months, 3 weeks ago
"...you can create a policy that automatically applies the needed tags during deployment..." from mafermv's text above. I support
YES for Q1.
upvoted 1 times
sephir 7 months, 2 weeks ago
It's correct: Q1 YES
"Instead of manually applying tags or searching for resources that aren't compliant, you create a policy that automatically applies the
needed tags during deployment."
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-
policies#:~:text=Instead%20of%20manually%20applying%20tags%20or%20searching%20for%20resources%20that%20aren%27t%20compli
ant%2C%20you%20create%20a%20policy%20that%20automatically%20applies%20the%20needed%20tags%20during%20deployment.
upvoted 3 times
ram75 7 months, 2 weeks ago
First box is "NO". Applying tags is different from enforcing tags.
upvoted 3 times
akp1000 8 months ago
Correct answer
upvoted 1 times
examtopics6969 8 months ago
Isn't 'appy tags' and 'enforce tagging rules' 2 completly different things ?
upvoted 2 times
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
andie1701 7 months, 2 weeks ago
Iagree, Q1 should be 'no', because with policies you can't apply a tag, but you can enforce that a tag is getting created.
upvoted 2 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 473/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #287
DRAG DROP -
Match the resources to the appropriate descriptions.
To answer, drag the appropriate resource from the column on the left to its description on the right. Each resource may be used once, more than
once, or not at all.
NOTE: Each correct match is worth one point.
Select and Place:
Correct Answer:
Reference:
https://azure.microsoft.com/en-us/support/legal/
mafermv Highly Voted 7 months, 1 weekago
The answer must be:
1. Microsoft Privacy Statement
2. Online Services Terms: The Online Services Terms (OST) is a legal agreement between Microsoft and the customer. The OST details the
obligations by both parties with respect to the processing and security of customer data and personal data. The OST applies specifically to
Microsoft's online services that you license through a subscription, including Azure, Dynamics 365, Office 365, and Bing Maps.
3. Data Protection Addendum: The Data Protection Addendum (DPA) further defines the data processing and security terms for online
services. These terms include, Disclosure of processed data, Data transfer, retention, and deletion, etc..
https://docs.microsoft.com/en-gb/learn/modules/examine-privacy-compliance-data-protection-standards/3-access-microsoft-privacy-
statement
upvoted 14 times
Danielki 5 months, 2 weeks ago
Those who reply against this comment.
Did you checked the site address?
upvoted 2 times
tomfong Highly Voted 8 months ago
2 should be OST and 3 should be DPA.
They were flipped.
upvoted 5 times
VIP_G 5 months, 3 weeks ago
NO you are wrong. the answer is correct 1. Privacy Statement 2. DPA and 3. OST. An addendum is a legal document... so just on that
DPA goes with the statement that starts "A legal agreement that details...."
upvoted 1 times
Splunker Most Recent 4 months ago
Reading these comments are exhausting. Be open-minded and cool down the arrogance. All of these terms are related to legalities.
Answer to the question is here - https://azure.microsoft.com/en-in/support/legal/
upvoted 2 times
Dennis_SOn 4 months ago
What’s in the Online Services Terms?
The Online Services Terms (OST) is a legal agreement between Microsoft and the customer. The OST details the obligations by both
parties with respect to the processing and security of customer data and personal data. The OST applies specifically to Microsoft’s online
services that you license through a subscription, including Azure, Dynamics 365, Office 365, and Bing Maps.
What is the Data Protection Addendum?
The Data Protection Addendum (DPA) further defines the data processing and security terms for online services. These terms include:
Compliance with laws.
Disclosure of processed data.
Data Security, which includes security practices and policies, data encryption, data access, customer responsibilities, and compliance with
auditing.
Data transfer, retention, and deletion.
upvoted 1 times
Nishkurup 6 months, 2 weeks ago
the answer is correct.
The Online Services Data Protection Addendum (“DPA”) sets forth your and Microsoft’s obligations with respect to the processing and
security of Customer Data and Personal Data in connection with Azure.
https://azure.microsoft.com/en-
gb/support/legal/#:~:text=The%20Online%20Services%20Data%20Protection,Data%20in%20connection%20with%20Azure.
upvoted 3 times
Wasia 6 months, 2 weeks ago
Data protection is a legal agreement, therefore answers are correct.
upvoted 2 times
Zhenyu 7 months,1 weekago
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 474/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
The Online Services Data Protection Addendum (DPA) sets forth your and Microsofts obligations with respect to the processing and
security of Customer Data and Personal Data in connection with Azure.
https://azure.microsoft.com/en-us/support/legal/
upvoted 1 times
akp1000 8 months ago
Two and Three are the wrong way round.
upvoted 2 times
bipsta 8 months, 1 week ago
two and three seem flipped https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-
Addendum-DPA?year=2021
upvoted 1 times
Lincoln01 8 months, 2 weeks ago
This doesn't look right.
The Online Services Terms (OST) is a legal agreement between Microsoft and the customer. The OST details the obligations by both
parties with respect to the processing and security of customer data and personal data.
What is the Data Protection Addendum?
--The Data Protection Addendum (DPA) further defines the data processing and security terms for online services
https://docs.microsoft.com/en-gb/learn/modules/examine-privacy-compliance-data-protection-standards/3-access-microsoft-privacy-
statement
upvoted 3 times
DS_1519 8 months, 1 weekago
you're correct. reference link confirms the same
upvoted 1 times
atilla 8 months, 2 weeks ago
if it says disclosure, I always think about terms
upvoted 1 times
AidenYoukhana 8 months, 2 weeks ago
Answers looks correct!
upvoted 2 times
Topic 1
Question #288
HOTSPOT -
Select the answer that correctly completes the sentence.
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 475/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #289
HOTSPOT -
Select the answer that correctly completes the sentence.
Hot Area:
Correct Answer:
Reference:
https://support.azure.cn/en-us/support/faq/
kakorinaes Highly Voted 8 months, 2 weeks ago
should be the last one: is a distinct separate instance of Microsoft Azure
Microsoft Azure operated by 21Vianet (Azure China) is a physically separated instance of cloud services located in China.
upvoted 26 times
lazslo78 Most Recent 1 week, 3 days ago
I will go with D : Azure China is a separate cloud in China that doesn't currently offer all Azure services.
upvoted 1 times
charques 5 months, 2 weeks ago
I think is D... it is. a separated instance
From here: https://docs.microsoft.com/en-us/azure/china/overview-operations
Azure China has a feature parity gap, but the gap is narrowing. For more information, see Service availability and roadmaps of Azure
China.
upvoted 1 times
jeanniebobeannie 5 months, 3 weeks ago
*Option B* "Feature parity with Azure Global", seems correct. See link and quote below:
"Microsoft Azure operated by 21Vianet (Azure China) is a physically separated instance of cloud services located in China. It's
independently operated and transacted by Shanghai Blue Cloud Technology Co., Ltd. ("21Vianet"), a wholly-owned subsidiary of Beijing
21Vianet Broadband Data Center Co., Ltd.."
upvoted 1 times
jeanniebobeannie 5 months, 3 weeks ago
Answer D seems correct see link and quote below
"Microsoft Azure operated by 21Vianet (Azure China) is a physically separated instance of cloud services located in China. It's
independently operated and transacted by Shanghai Blue Cloud Technology Co., Ltd. ("21Vianet"), a wholly owned subsidiary of Beijing
21Vianet Broadband Data Center Co., Ltd.."
https://docs.microsoft.com/en-us/azure/china/overview-operations
upvoted 1 times
tacobear 6 months ago
it was on exam on 03/12/2022. This one was confusing as well. I put Bbut no way to tell if that was correct or not.
upvoted 1 times
Nish1108 7 months ago
Answer should be 'D'
https://docs.microsoft.com/en-us/azure/china/overview-operations
upvoted 1 times
Redsman13 7 months, 2 weeks ago
This answer is incorrect. Please see the following article:
https://docs.microsoft.com/en-us/azure/china/overview-operations
There is aparagraph stating "Azure China has a feature parity gap, but the gap is narrowing"
upvoted 4 times
JoeyTheGreat 7 months, 2 weeks ago
it says here that "its a physically separated instance"
https://docs.microsoft.com/en-us/azure/china/overview-
operations#:~:text=Microsoft%20Azure%20operated%20by%2021Vianet%20(Azure%20China)%20is%20a%20physically,Cloud%20Technolo
gy%20Co.%2C%20Ltd.
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 476/598
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Sisb 7 months,4 weeks ago
I once has China azure account. So Bis right
I can access service from other country. it is not operated by Microsoft but has Azure global function. The tenants in China Azure can not
move to other region/country.
upvoted 4 times
ostralo 8 months ago
In China, Azure combines Microsoft’s global technologies and 21Vianet’s local operating experience to build an enterprise-level
international cloud computing platform for China.
Outside China, Microsoft Azure is operated by Microsoft itself. China’s Azure customers will be able to enjoy exactly the same user
experiences and service level as customers in other areas.
upvoted 1 times
akp1000 8 months ago
You need to be a legal entity in China to deploy so the answer is 3. https://www.youtube.com/watch?
v=cbGBBgHp7Xo&list=PLYGZ9Q0oTOHfsI-3IAhvyc09ssPDfoePv&index=52
upvoted 1 times
joergsi 7 months, 4 weeks ago
Here is the Azure China Checklist:
https://docs.microsoft.com/en-us/azure/china/overview-checklist
=> you can access data from outside of China!
upvoted 2 times
kholoudMohamed 8 months, 1 week ago
Microsoft Azure operated by 21Vianet (Azure China) is a physically separated instance of cloud services located in China. It's
independently operated and transacted by Shanghai Blue Cloud Technology Co., Ltd. ("21Vianet"), a wholly owned subsidiary of Beijing
21Vianet Broadband Data Center Co., Ltd.
From : https://docs.microsoft.com/en-us/azure/china/overview-operations
Answer is : 4 (is a distinct Separate instance of Microsoft Azure)
upvoted 4 times
arjaycee 8 months, 1 weekago
Answer is correct.
Outside China, Microsoft Azure is operated by Microsoft itself. China’s Azure customers will be able to enjoy exactly the same user
experiences and service level as customers in other areas.
upvoted 1 times
UC1985 8 months, 1 week ago
Azure China has a feature parity gap, but the gap is narrowing.
So, it is a distinct instance...
https://docs.microsoft.com/en-us/azure/china/overview-operations
upvoted 2 times
iccbsports 8 months, 2 weeks ago
Azure China - Microsoft Azure operated by 21Vianet (Azure China) is a physically separated instance of cloud services located in China.
upvoted 1 times
ttm_19 8 months,2 weeks ago
"...Microsoft Azure operated by 21Vianet (Azure China) is a physically separated instance of cloud services located in China. .."
"...Azure China has a feature parity gap, but the gap is narrowing. ..."
https://docs.microsoft.com/en-us/azure/china/overview-operations
So, it is a distinct instnace...
upvoted 1 times
Topic 1
Question #290
What should you use to evaluate whether your company's Azure environment meets regulatory requirements?
A. Azure Service Health
B. Azure Knowledge Center
C. Microsoft Defender for Cloud
D. Azure Advisor
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 477/598
Correct Answer: C
Microsoft Defender for Cloud helps streamline the process for meeting regulatory compliance requirements, using the regulatory compliance
dashboard.
Reference:
https://docs.microsoft.com/en-us/azure/defender-for-cloud/regulatory-compliance-dashboard
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #291
HOTSPOT -
Select the answer that correctly completes the sentence.
Hot Area:
Correct Answer:
Microsoft Service Trust Portal.
The Microsoft Service Trust Portal provides a variety of content, tools, and other resources about Microsoft security, privacy, and compliance
practices.
Trust Documents -
Provides a wealth of security implementation and design information with the goal of making it easier for you to meet regulatory compliance
objectives by understanding how Microsoft Cloud services keep your data secure. To review content, select one of the following options on the
Trust Documents pull-down menu.
* Audit Reports: A list of independent audit and assessment reports on Microsoft's Cloud services is displayed. These reports provide
information about Microsoft
Cloud services compliance with data protection standards and regulatory requirements.
* Data Protection: Contains a wealth of resources such as audited controls, white papers, FAQs, penetration tests, risk assessment tools, and
compliance guides.
* Azure Security and Compliance Blueprints: Resources that help you build secure and compliant cloud-based applications. This area contains
blueprint-guidance for government, finance, healthcare, and retail verticals.
Incorrect:
Not: Microsoft Defender for Cloud.
Defender for Cloud is atool for security posture management and threat protection. It strengthens the security posture of your cloud resources,
and with its integrated Microsoft Defender plans, Defender for Cloud protects workloads running in Azure, hybrid, and other cloud platforms.
Defender for Cloud provides the tools needed to harden your resources, track your security posture, protect against cyber attacks, and
streamline security management.
Not: the Microsoft 365 Compliance center
The Security &Compliance Center lets you grant permissions to people who perform compliance tasks like device management, data loss
prevention, eDiscovery, retention, and so on. These people can perform only the tasks that you explicitly grant them access to.
Reference:
https://docs.microsoft.com/en-us/microsoft-365/compliance/get-started-with-service-trust-portal
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 478/598
pyro_mann 9 hours, 15 minutes ago
The question seems to refer to general services, not yours in the cloud. IN that case D makes sense :https://servicetrust.microsoft.com/
upvoted 1 times
yz0067 3 days, 15 hours ago
The answer should be Defender for Cloud. See below MS Doc:
https://docs.microsoft.com/en-us/azure/defender-for-cloud/regulatory-compliance-dashboard
upvoted 4 times
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #292
HOTSPOT -
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/microsoft-365/compliance/get-started-with-service-trust-portal?view=o365-worldwide
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 479/598
Totoz 2 weeks, 1 day ago
answer is correct
https://docs.microsoft.com/en-us/microsoft-365/compliance/get-started-with-service-trust-portal?view=o365-worldwide
upvoted 1 times
9/15/22, 12:47 PM AZ-900 Exam Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #293
Your company has an Azure subscription that contains resources in several regions.
You need to create the Azure resource that must be used to meet the policy requirement.
What should you create?
A. a read-only lock
B. an Azure policy
C. a management group
D. a reservation
Correct Answer: B
Azure policies can be used to define requirements for resource properties during deployment and for already existing resources. Azure Policy
controls properties such as the types or locations of resources.
Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your
resources, so those resources stay compliant with your corporate standards and service level agreements. Azure Policy meets this need by
evaluating your resources for non- compliance with assigned policies. All data stored by Azure Policy is encrypted at rest.
Azure Policy offers several built-in policies that are available by default. In this question, we would use the 'Allowed Locations' policy to define
the locations where resources can be deployed.
Reference:
https://docs.microsoft.com/en-us/azure/governance/policy/overview
El_Zammo Highly Voted 9 months,4 weeks ago
How is this even a question? What policy?
upvoted 12 times
Mozbius_ 9 months, 2 weeks ago
Yup. Answer is obviously B based on keyword "policy" but the question on its own is straight garbage!
upvoted 11 times
joergsi 8 months ago
Maybe we have this question in the next exam:
What is the difference between Water?
upvoted 5 times
vinc855 Highly Voted 11 months, 2 weeks ago
Correct answer
upvoted 5 times
Jeend Most Recent 10 months, 1 weekago
Keyword: policy requirments
upvoted 2 times
dalamarus 10 months, 1 week ago
this came out?
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 480/598